Welcome Guest, Not a member yet? Register   Sign In
How to attach a file without the user being able to explore all files?
#1

We have a series of files that are categories & have a system where a user can create an advert, but the only way we can see to attach an advert into the category is by using HTML input type="file" however that gives the user access to all the folders & files in the computer where we would prefer to limit the users access to only files in Adverts folder & under his/her username. We have tried a few snippets of HTML coding to try such limitation but nothing has worked.

Even if we could get some HTML coding to work we do realize that HTML is frontend, similar to Javascript, & suspect that a clever user could manipulate the HTML coding stored in "his/her own browser" & gain access to whatever is desired. We dont want that.

Is there any PHP backend coding that will restrict a user to say the Adverts folder & under his/her username?
Reply
#2

This may give you some insight to what you want to do.

Implementing PHP File Upload Security
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#3

(05-05-2021, 12:09 PM)InsiteFX Wrote: This may give you some insight to what you want to do.

Implementing PHP File Upload Security

Thanks InsiteFX Ive recorded Implementing PHP File Upload Security for a later time in our project.

I now realize I wasnt thinking logically when I wrote the question. I am still in localhost in which case the website computer & the user computer/device is the same thing, whereas in reality they are different. Im trying to achieve the user being able to attach an advert file to a category file in the website computer & we dont want the user to have access to any files other than his/her own advert files, from which he/she should be able to select the file/advert of choice. When a user creates an advert it is stored into this type example folder - Adverts/user/drinks/coke.php - And we only want the user to have access to - Adverts/user/.. - nothing else.

We have categories similar to - Afghanistan/drinks - And would like a user to be able to attach a file/advert into a category file, which would be by the fwrite process sending the selected link such as - Adverts/user/drinks/coke.php

The HTML input type="file" now appears to be for only attaching a file from the users device to the website computer & not appropriate for our current exercise.

@InsiteFX do you know how I can get a user to attach a file in the website computer to another file in the website computer, & in PHP backend so that the function can not be hacked?
Reply
#4

(05-05-2021, 12:09 PM)InsiteFX Wrote: This may give you some insight to what you want to do.

Implementing PHP File Upload Security

I can get the following to work & I would like to be able to copy the bottom link & then have it pasted into a text box within the category file, but I dont know how to do that. Do you know how?

PHP Code:
http://localhost/adverts/$user/drink/drinklinks
<button><a/href="/adverts/$user/drink/link/coke">Coke</a></button><br>
<
button><a/href="/adverts/$user/drink/link/lime">Lime</a></button><br>
<
button><a/href="/adverts/$user/drink/link/orange">Orange</a></button><br>

http://localhost/adverts/$user/drink/link/coke
<button><a/href="/adverts/$user/drink/link/coke">Coke</a></button
Reply
#5

Hi.

It is a simple question but with many details. I'll tell you what I would do:

First i would create a table in the db with the categories (id_category, name_category, active ...).

According to a table categories_users (permission_id, user_id) that would store which categories a user has access to.

Third, in the registration form for the advert I would list the categories in which the user has access (through a query). Perhaps using javascript (jstree) to display the categories as a tree view.

Fourth, about the folders. The user's folder could be created at the time of user registration for example with his id as a name (or hash). Considering that this value is unique.

So at the time of sending, the system would store the file in the "uploads/$current_userid" folder. It would be ideal to store these ads in the database as well (id_advert, name_advert, file_hash, created_by ....).

It is a way of doing.
Reply
#6

(05-07-2021, 02:06 PM)kleber Wrote: Hi.

It is a simple question but with many details. I'll tell you what I would do:

First i would create a table in the db with the categories (id_category, name_category, active ...).

According to a table categories_users (permission_id, user_id) that would store which categories a user has access to.

Third, in the registration form for the advert I would list the categories in which the user has access (through a query). Perhaps using javascript (jstree) to display the categories as a tree view.

Fourth, about the folders. The user's folder could be created at the time of user registration for example with his id as a name (or hash). Considering that this value is unique.

So at the time of sending, the system would store the file in the "uploads/$current_userid" folder. It would be ideal to store these ads in the database as well (id_advert, name_advert, file_hash, created_by ....).

It is a way of doing.

Thanks @kleber for your input. We havent yet ruled out doing it your way, in part or in whole, but our first endeavor is to keep our operation simple & we find working with a db departs from that endeavor. We are trying to create a website where things are easy to find & hence we have thousands of categories, in each of the 230+ countries, & consider putting that number into a db would be an impossibility. Further, we dont want to restrict users to a country and or to a category that they wish to choose. Our system provides every username as unique which simplifies matters somewhat.

Hopefully, there maybe someone who has a simple idea on how we can achieve our goal.
Reply
#7

You could move the files to a temp folder attach them then move them to the correct folder worth a try.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#8

(05-08-2021, 12:18 PM)InsiteFX Wrote: You could move the files to a temp folder attach them then move them to the correct folder worth a try.

Yes, certainly worth a try. But I dont know how to do that. Do you have any code to start me on?
Reply
#9

I'll see what I can do in the morning it's 11:30 pm here.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#10

(05-08-2021, 08:36 PM)InsiteFX Wrote: I'll see what I can do in the morning it's 11:30 pm here.

Its just gone midday here in Phil but Im a night worker.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB