Security of Data and files

[alexh]

Gotcha.

Yeah, the first thing I did was place a index.html file in the uploads folder. I was going to change the name of the folder, but I wanted to make sure that it wouldn't screw anything up.. and make sure that I knew exactly where and how many times I had to make that change on the back end.

Unfortunately I don't think I can move that folder below the webroot because then the users who log in, won't be able to view the photos in the table display.. or when the edit or view the entries. (I'd be happy to explain exactly what I'm trying to accomplish with this tool if you want to PM me).

Again - thanks for all your help!

Alex

Hey all,

2.1.0 (the current available version) contains an index.html in that folder. All that that does is prevent the browser from displaying the contents of the folder. It's low-fi, but it solves the immediate problem.

Alex, using .htaccess is definitely better from a security point of view, but like you said, it would require users to be perpetually entering their login credentials - plus you'd need to go through the legwork of setting up the actual permissions. It all depends on your situation and your judgment. If the content being uploaded is very sensitive, then yes - password-protecting the whole folder with .htaccess would make sense. Also, you might want to consider using a custom upload folder which would be harder for a hacker to guess (e.g /uploads59115 or something random).

The other possibility (depending on how security-conscious you feel you need to be) is to specify an upload folder that's above the actual webroot. This will break any links to the files in the user interface (since they won't be accessible via an http:// location), but the files will still be properly uploaded to the server. No-one without server permissions would be able to access the files.

- Ben