TJ111
06-28-2007, 09:50 AM
Note:Pretty confusing post, sorry in advanced. I try my best to describe it
I am setting up a file upload/download ability on the internal section of our companies webpage. Employees can upload and download documents specific to certain pages information. However I want to implement the ability to restrict who has access to certain files (on a mysql database). Here's how its set up.
1. 6 access levels (0-5) which is stored in session data (5 is the highest).
2. Higher access levels have access to ALL lower level information (not separate, its a hierarchy)
3. File uploads include who has permission to view and download files (ie, a management only file would require access levels of 3+). They also include the path to the page the file is going to be downloaded from.
Uploaded data:
$fileName = $_FILES['userfile']['name'];
$tmpName = $_FILES['userfile']['tmp_name'];
$fileSize = $_FILES['userfile']['size'];
$fileType = $_FILES['userfile']['type'];
$description = $_POST['description'];
$url = $_POST['url'];
//url is the PATH to where the file will be displayed, not the actual url
$date = $_POST['date'];
$access = $_POST['access'];
//access is the number 0-5
All in all pretty standard.
Here is where my question is. I'm pretty new to MySQL so I'm not sure how to "SELECT" the items where the access is either AT or ABOVE the required access level. Ie, if I upload a file with an access of 2, people with and access of 3-5 can't see it (they should be able to).
Download:
//variables
$url = $_SERVER['PHP_SELF'];
$access = $_SESSION['level'];
//database connect stuff here
$query = "SELECT id, name, description, date FROM upload WHERE path='$url' AND access='$access' ORDER BY id DESC";
Here's how it's displayed:
<?php //<--not in file just included so colors display right
echo "<ol>";
while(list($id, $name, $description, $date) = mysql_fetch_array($result))
{
?>
<li><a href="/home/file/download.php?id=<?php echo $id;?>"><?php echo $name;?></a><ul><li><?php echo $date;?></li><li><?php echo $description;?></li></ul><br>
<?php
}
echo "</ol>";
}
I want to know what you guys would recommend here. I could include the access level in my query, remove the "AND access=" part from the query, then restrict which files are displayed in the loop function. However I'd really prefer to be able to not allow the files to be accessed in the database at all, and I think just restricting the files displayed would be a security risk. Thanks for reading this all and helping out. Like I said I'm new to the mysql scene.
--T.J.--
I am setting up a file upload/download ability on the internal section of our companies webpage. Employees can upload and download documents specific to certain pages information. However I want to implement the ability to restrict who has access to certain files (on a mysql database). Here's how its set up.
1. 6 access levels (0-5) which is stored in session data (5 is the highest).
2. Higher access levels have access to ALL lower level information (not separate, its a hierarchy)
3. File uploads include who has permission to view and download files (ie, a management only file would require access levels of 3+). They also include the path to the page the file is going to be downloaded from.
Uploaded data:
$fileName = $_FILES['userfile']['name'];
$tmpName = $_FILES['userfile']['tmp_name'];
$fileSize = $_FILES['userfile']['size'];
$fileType = $_FILES['userfile']['type'];
$description = $_POST['description'];
$url = $_POST['url'];
//url is the PATH to where the file will be displayed, not the actual url
$date = $_POST['date'];
$access = $_POST['access'];
//access is the number 0-5
All in all pretty standard.
Here is where my question is. I'm pretty new to MySQL so I'm not sure how to "SELECT" the items where the access is either AT or ABOVE the required access level. Ie, if I upload a file with an access of 2, people with and access of 3-5 can't see it (they should be able to).
Download:
//variables
$url = $_SERVER['PHP_SELF'];
$access = $_SESSION['level'];
//database connect stuff here
$query = "SELECT id, name, description, date FROM upload WHERE path='$url' AND access='$access' ORDER BY id DESC";
Here's how it's displayed:
<?php //<--not in file just included so colors display right
echo "<ol>";
while(list($id, $name, $description, $date) = mysql_fetch_array($result))
{
?>
<li><a href="/home/file/download.php?id=<?php echo $id;?>"><?php echo $name;?></a><ul><li><?php echo $date;?></li><li><?php echo $description;?></li></ul><br>
<?php
}
echo "</ol>";
}
I want to know what you guys would recommend here. I could include the access level in my query, remove the "AND access=" part from the query, then restrict which files are displayed in the loop function. However I'd really prefer to be able to not allow the files to be accessed in the database at all, and I think just restricting the files displayed would be a security risk. Thanks for reading this all and helping out. Like I said I'm new to the mysql scene.
--T.J.--