Need help implementing safe method

[yaMz]

I am trying to implement what I call private uploads. Basically, users can check a box to indicate they want their file "private"

 

If so, the upload location is then (exampled as): _domain_/private-folder/$randomfolder

 

Upon uploading their file, the random folder is created, their file moved to the directory, the upload information stored to the database, .htaccess file is created like so:

 

 

info to add to new .htaccess:

<files "*.*">
Deny from All
</files>

<files "*.*">
Allow from 
$domains
</files>

 

the string $domains is the domains they enter each seperated by a new line in a form textarea.

 

The problem - how can I make sure this is safe. i.e. I want the string to be obviously proofed with php so that no matter what they input, only domains will be outputted.

 

I don't need code written for me (maybe), I'm just unsure of the necessary methods I should use.

 

[BlueSkyIS]

i would check the domain name against a regular expression, and perhaps also do a whois, host, or some other methods of (mostly) verifying domain existence.

[yaMz]

The existence doesn't bother me. Anyways I'm a bit rusty - If you will, what specific set of expressions should I run on the string to ensure they wont add .htaccess lines of their own? A non-by-passable expression set is what I'm finding difficult to create.

[BlueSkyIS]

thinking about it further, i wouldn't mess with .htaccess at all. i would use a database to store the location of the file in some kind of encoded directory structure and/or within directories that are not public-accessible. that is not so simple, so maybe someone else has a simpler solution.

[yaMz]

How then would I allow their file to be executed from only their domain, and not viewable otherwise. i.e.

 

file: _domain/encoded_directory/myfile.js

 

 

[yaMz]

Bah.

[the182guy]

I would do this by having a single folder to store all of the private uploads, with a htaccess in it that says deny access to all files for everyone.

 

When the private files are uploaded through a form, store the files in the private folder and store a recrod in a mysql table with the filename.

 

Next I would have a PHP script that determines whether or not a user is allowed to download one of the private files. If they are allowed then use readfile() to output the file to the user. I would also need to send the correct header() for whatever type of file it is.

 

That way you can write PHP code to determine if the user is allowed to access the file requested, and the location of the private files will never be shown to any users, even if someone knew the location, they won't get direct access because of the htaccess rule.