FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Nested PHP
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Nested PHP [message #184853 is a reply to message #184850] Tue, 11 February 2014 15:10 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 2/11/2014 9:31 AM, Adrian Tuddenham wrote:
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
> [...]
>> My main question here would be - what are you trying to accomplish by
>> having files encrypted on your server. Since the decryption code is
>> right in plain sight, encrypting the files adds no security. If they
>> can get to your raw files, they can get to your decryption code.
>
> I'm not trying to produce a high-security system, just something which
> deters the casual user from downloading PDFs that members of the group
> have paid their membership fee to receive. I doubt if anyone wants to
> go to all the trouble of decrypting a PDF file in order to avoid paying
> £7.50
>

First of all, you don't need to go to all the trouble of encrypting a
pdf to make it unavailable to the casual user. Just place the file
outside of your document_root hierarchy and download it with PHP.

Second, it's still no security. Once someone has the pdf, they can make
and send all the copies they want.

> I am a bit worried by your statement that the decryption code is in
> plain sight, how can that be protected better than it already is? The
> filename in the GET of the link url is also encrypted (very crudely) so,
> although it is in plain view, it wouldn't lead the hacker directly to
> the encrypted PDF file.
>

That's correct. Anyone who can access your source files can see the
decryption code.

What you have is security by obfuscation - which is only the illusion of
security. And you're going to a whole lot of unnecessary work to get it.

>>
>> And in any case, the decrypted page (along with images, etc.) is
>> available at the browser just as soon as someone requests it.
>
> That 'someone' would have to be a member and they could equally well
> send their password to a friend. There is a download log which should
> alert me if something untoward is happening through the password system.
>

But if they send the file to their pals (or post it on another website),
you would never know.

>
>> I think your whole approach needs rethinking.
>
> I agree it isn't suitable for a high security website, it is just making
> the best of a "Topsy".
>
>

It's not even suitable for a low security website.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Filling an array with random input doesn't quite work
Next Topic: string length
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 20:08:05 GMT 2024

Total time taken to generate the page: 0.04828 seconds