in reply to Re: Re: Non-Duplicate File Names, Security, and Self Cleaning
in thread Non-Duplicate File Names, Security, and Self Cleaning
> I thought letting users delete the file themselves could make for some big security holes
It depends on how you do it. Each user should be able to delete just her own files. So if you make up some rally good random name this shouldn't be a problem. Just remember that your script should not allow any character in filenames to delete other than those characters you use in your generated filenames. Espacially no "/"!
> and there are also lazy users out there
That's why I said you should do it if you take the 10-minute-than-delete-way. So user can be gentle and delete the file after they used it.
While I write it: Why don't you simply store the indices of the selected pictures in a cookie? If you don't have to many pictures this shouldn't be a problem. You could even save some space if you use a vec-tor to store which pics are choosen. When the user clicks on "download" the ZIP will be generated "on the fly" and will never appear in any direcory on the server.
Just some more opportunities for you to learn from ;-)
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re^4: Non-Duplicate File Names, Security, and Self Cleaning
by Petras (Friar) on Jun 12, 2003 at 01:11 UTC |