This content has been marked as final. Show 13 replies
I would suggest to upload PDF files with normal file upload and save the file references in DB not the direct files.
You would have a database which contains file locations to generate dynamic links.
You can either put the files in a subdirectory in your webroot or directly refer the files with URLs or outside of the webroot and push the required files with cfcontent etc.
My opinion is to keep the files in the outside of the webroot and create a virtual directory for downlaod the files.
I would enable the PDFs to be uploaded to a directory outside the webroot. Only logged in users will be allowed to download them.
Just out of curiousity... what are the reasons for storing the files outside the webroot using a virtual dir?
While you are storing the files out side of the webroot it will be secure
With out using virtual directory Users cannot access this file path directly.
The attached code seems to hide the document URL upon download even when it is located inside the webroot. I don't know if this will keep users out alltogether but it is a good start.
I got this info from JR "Bob" Dobbs over in this post.
Inserting a Filename into a BLOB
Inserting a Filename into a BLOB
But if you have the virtual directory setup cant they be access through that?
I have limited experience with this which is why i am asking...
Say I have a virtual directory in my webroot called documents which is where I am going to store PDF's
My webroot is : C:\inetput\wwwroot\mydomain.com\
My Virtual Dir is C:\StoredDocs
I understand that the files are not stored in the webroot, but cant they still be accessed via www.mydomain.com/documents ?
I wish I had that answer as well. I'm new enough to CF that I don't know. In addition, my application is going to be running on a shared server and I don't get access to anything outside my webroot.
One thing I plan on trying, and maybe you advanced coders can provide some insight here, is storing the doc folder in a subdirectory that is protected by an Application.cfm requiring a login.
Anyone out there see a bug with this type of approach?
Storing documents outside the web root and using <cfcontent> to push their contents to the users is the most secure method.
Putting the documents in a subdirectory of the web root and securing that directory with an Application.cfm will only protect .cfm and .cfc files (as that's the only time that CF is involved in the request). That is, unless you configure CF to handle every request.
The virtual directory is no safer than putting the documents in a subdirectory. The links to your documents are still going to look like: http://www.mysite.com/virtualdirectory/myfile.pdf
Users won't need to log in to access these documents.
<cfcontent> or configuring CF to handle every request is the only way to ensure users have to log in before accessing non-CF files. Unless you want to use web-server authentication.
Originally posted by: Kronin555<cfcontent> or configuring CF to handle every request is the only way to ensure users have to log in before accessing non-CF files. Unless you want to use web-server authentication.
So, say the files were in C:\Documents\ and my file name was stored in a database... I would include the file but using:
<cfcontent file="C:\Documents\#file.filename#" .... />
This will just make is so I can display the document within my page correct? Or can I make a link that when clicked the file can be downloaded?
So, my method of using <cfcontent> shown in the previous code will help throw someone off the trail even though the docs are stored within the root?
What does a person do when they're using a shared server at a place like hostmysite and need to get docs into a folder outside the root for further protection?
Thank you Kronin555 for jumping in on this post.
IF you have control over IIS you can make sure that there is no directory browsing allowed AND create a default page inside the directory where the PDFs are stored. That way if somebody tries to surf to a PDF directly, they will get snagged by the default page and handled.
But how they came to know about the virtual directory name only, the developer and the server peoples know about the virtual directory name.
While uploading we are giving a path like this "c:\uploadedfiles\"
Only we use the virtual directory to download the uploaded files.