Re: [markr] archive of pdf uploads safe from bots
Hi Markr,
>can cmsb upload to a non-public area of the server?
Yes, you can set custom upload dirs in the fields editor for upload fields.
We've dealt with document security a number of times and there's a few common issues that come up.
- Bot Security, Generally bots won't find your upload directory unless it's linked from somewhere, and if they do it's not usually a problem if it doesn't list all the files (a blank index.html/php will hide directory listings). It's true they could guess at filenames, but this is as secure as passwords which can also be guessed. Assuming a-z is 26 chars, plus 0-9 if another 10, each filename char has 36 possibilities, so a 3 char filenamecould take over 46 thousand guesses (36*36*36). It's usually not a problem unless your filenames follow a pattern, eg: 1001.pdf, 1002.pdf or if they match something else on your site (product SKUs, etc).
- User Security, the next concern is limiting download links to logged in users, since once someone has the link they could just share it and anyone could access it. The easiest way to do this is to create a custom wrapper script that requires users to be logged in and displays the PDF. A link such as memberPdfDownload.php?table=products&num=123 could let them download the PDF, but only if they were logged in so sending that link to others wouldn't help.
- Home PC Security, of course, nothing prevents a user from saving the file to their computer and emailing it around as an attachment. And even complicated systems that don't let a user download a file are still susceptible to someone taking a picture of their screen with their camera. Basically, there's no way to prevent a user from copying the data once they have it, just lots of ways of making it more difficult.
Hope that helps, let me know any questions. Thanks!
Dave Edis - Senior Developer
interactivetools.com