| Author |
 Topic  |
|
|
Largo
Starting Member
Greece
16 Posts |
 Posted - 16 March 2005 : 20:08:13
|
Hi.
I'm looking for a simple but secure way to be able to upload (attach) files to forums postings. But the mods i have seen so far are ok but not secure enough, since if you know the path and the file name, you can download the attachments.
Is there any mod/way to be more secure ? Not insane, just a little bit.
Thanks
Costas |
|
|
TStewartFan
Junior Member
190 Posts |
Posted - 17 March 2005 : 05:55:11
|
| If they are not up to par then why not improve them? Everyone has a critique but not a solution? Theoretically speaking....if I knew the path to your database I could download it as well. However since I have the option of right clicking an image on ANY WEBSITE or just running the Source Code it will beome increasingly more difficult to hide its location. The simplest solution would be to incorporate the disable right click function within your website...this would eliminate at least half of the folks that are unaware of the run source code command. Pick a site and I will download its image....this has nothing to do with the add attacment being less secure...but rather limitations set upon the folks writing to the w3c standards. But back to the question at hand....if you feel the code is "ok" and "not secure enough" then why not share your brain power and grow our mod base a bit? I share everything I create (which ain't much because I am nothing more then a construction worker) but at least I play the part of expanding rather than collapsing. Thank you come again...heh That movie rocks! |
If You Have to Ask, You Wouldn't Understand. |
 |
|
|
Largo
Starting Member
Greece
16 Posts |
Posted - 17 March 2005 : 10:04:08
|
quote:
Originally posted by TStewartFan
If they are not up to par then why not improve them? Everyone has a critique but not a solution? Theoretically speaking....if I knew the path to your database I could download it as well. However since I have the option of right clicking an image on ANY WEBSITE or just running the Source Code it will beome increasingly more difficult to hide its location. The simplest solution would be to incorporate the disable right click function within your website...this would eliminate at least half of the folks that are unaware of the run source code command. Pick a site and I will download its image....this has nothing to do with the add attacment being less secure...but rather limitations set upon the folks writing to the w3c standards. But back to the question at hand....if you feel the code is "ok" and "not secure enough" then why not share your brain power and grow our mod base a bit? I share everything I create (which ain't much because I am nothing more then a construction worker) but at least I play the part of expanding rather than collapsing.
Never said the code i found (2 mods) is not secure. I said it is not secure FOR MY NEEDS. So i ask here is such a mod exist, maybe for example the File Library mod ?
I'm not a programmer, so i can't possibly add code. But if i was, i had no problem to share. So hold your horses please.
About the problem, what could be done is that the files were not located in each user name directory, and the download link was somehow scrabbled. I dunno if this is secure. A programmer would know.
Thanks
Costas |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 17 March 2005 : 11:39:14
|
| if the file is downloadable from your website then it can never be secure, if it was then people wouldn't be able to download it at all |
|
|
|
Largo
Starting Member
Greece
16 Posts |
Posted - 17 March 2005 : 12:46:15
|
quote:
Originally posted by HuwR
if the file is downloadable from your website then it can never be secure, if it was then people wouldn't be able to download it at all
Agreed. But for example, lets say a software company want to distribute updates via the forums, to registered paying customers. Are you saying that there is no possible way ?
Costas |
|
|
|
-gary
Development Team Member
406 Posts |
Posted - 17 March 2005 : 13:35:39
|
I've never adapted the code below into a mod, but you can use it to roll your own. It reads a file from anywhere in the filesystem that IIS has access to read and writes it directly to the browser. The file does not have to be in the public path to be displayed.
The problem is that you will need IIS to have the ability to read and write a non-public directory and access to the filesystem object which most hosts don't like to give. The Response.BinaryWrite method is also very inefficient and sucks way more cycles than just linking to a file.
You can imbed this in an attachment script using some additional code to link the image. The discussion about selecting attachment code form a post is is here. http://forum.snitz.com/forum/topic.asp?ARCHIVE=true&TOPIC_ID=54891
<!-- METADATA TYPE="typelib" UUID="00000205-0000-0010-8000-00AA006D2EA4" NAME="ADODB Type Library" -->
Response.Buffer = False
Dim objStream
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Type = adTypeBinary
objStream.Open
objStream.LoadFromFile(path_to_file)
Response.AddHeader "Content-Disposition", "attachment; filename=filename.ext"
Response.AddHeader "Content-Length", size_of_file
Response.ContentType = "image/mime_type"
Response.Charset = "UTF-8"
Response.BinaryWrite objStream.Read
objStream.Close
|
KawiForums.com
 |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 17 March 2005 : 18:18:54
|
quote:
Originally posted by Largo
quote:
Originally posted by HuwR
if the file is downloadable from your website then it can never be secure, if it was then people wouldn't be able to download it at all
Agreed. But for example, lets say a software company want to distribute updates via the forums, to registered paying customers. Are you saying that there is no possible way ?
Costas
No, I'm not saying there is no possible way, but you will have to rewrite the mods as they are not designed that way, as they upload to a directory inside your web root so are publicly accessible, it would not be difficult to change, but you would need a writable directory outside your web root for which you know the correct path as in gary's suggestion, you may already have one if your db is in a writable folder outside the root (one would hope it is) you could use that as your file upload directory, then use gary's code to do the download |
|
|
|
Largo
Starting Member
Greece
16 Posts |
Posted - 17 March 2005 : 18:25:37
|
quote:
No, I'm not saying there is no possible way, but you will have to rewrite the mods as they are not designed that way, as they upload to a directory inside your web root so are publicly accessible, it would not be difficult to change, but you would need a writable directory outside your web root for which you know the correct path as in gary's suggestion, you may already have one if your db is in a writable folder outside the root (one would hope it is) you could use that as your file upload directory, then use gary's code to do the download
Good idea. Maybe using the DB directory that is accessible to IIS but not ANY user. There we put all the dbf files. I will do some tests, THANKS so much.
Costas |
|
|
| |
Topic |
|
Topic Locked
