kellydigital
asked on
Protect Files on Web Portal
I am building a portal using PHP and mySQL.
I have a number of files that users can download. I store them in a directory called /testdownloads
Lets use as an example the following file: resume.doc
Users log onto the portal using login information stored in the database. I keep track of users using PHP sessions. I have a page called downloadfiles.php which shows a list of all possible files available to authorized users.
Right now if someone types in their browser: www.mysite.com/testdownloads/resume.doc
the file begins to download without any kind of verification that they have logged into the portal.
Should I use PHP to hide the folder name that my documents are stored in? Should I use .htaccess to prevent unauthorized visits?
Please help
I have a number of files that users can download. I store them in a directory called /testdownloads
Lets use as an example the following file: resume.doc
Users log onto the portal using login information stored in the database. I keep track of users using PHP sessions. I have a page called downloadfiles.php which shows a list of all possible files available to authorized users.
Right now if someone types in their browser: www.mysite.com/testdownloads/resume.doc
the file begins to download without any kind of verification that they have logged into the portal.
Should I use PHP to hide the folder name that my documents are stored in? Should I use .htaccess to prevent unauthorized visits?
Please help
The fastest way you can protect your files is configuring your web server so your download directory can be accessed only by typing username and password...
ASKER
I know...it is so good and so easy...with .htaccess and .htpasswd
but i would prefer a way in which they wouldn't have to login twice.
but i would prefer a way in which they wouldn't have to login twice.
well
other way is not letting the users know your directory's name, so they can't type it on their browsers...
instead of having a link to your file like:
<a href="testdowloads/resume.
try:
<a href="download.php?file=re
and your download.php grants access only to those who has signed in...
once your script has detected if the user is logged in it'll redirect to the file to download:
header("location:testdownl
and the user didn't see the full URL so he/she couldn't type on his/her browser...
other way is not letting the users know your directory's name, so they can't type it on their browsers...
instead of having a link to your file like:
<a href="testdowloads/resume.
try:
<a href="download.php?file=re
and your download.php grants access only to those who has signed in...
once your script has detected if the user is logged in it'll redirect to the file to download:
header("location:testdownl
and the user didn't see the full URL so he/she couldn't type on his/her browser...
ASKER
I tried that as well...
it works okay for some users...
but for others they have to hit the open button a minimum of 2 times sometimes 3 times on the open/save dialog box. ... and it is even more tricky for someone to save it...because they have to hit open on the first dialog box then save on the second. Otherwise they save a copy of download.php.
it works okay for some users...
but for others they have to hit the open button a minimum of 2 times sometimes 3 times on the open/save dialog box. ... and it is even more tricky for someone to save it...because they have to hit open on the first dialog box then save on the second. Otherwise they save a copy of download.php.
Yeah... I have gone through that before...
you may associate each file with a number or without the extension (if all or your files have the same, which I don't think)...
instead of having the link like:
<a href="download.php?file=re
try
<a href="download.php?file=re
or
<a href="download.php?file=1"
Now, your php code on download.php should identify wich file the user is trying to download...
you may associate each file with a number or without the extension (if all or your files have the same, which I don't think)...
instead of having the link like:
<a href="download.php?file=re
try
<a href="download.php?file=re
or
<a href="download.php?file=1"
Now, your php code on download.php should identify wich file the user is trying to download...
If you don't want your users to get at the files, I'd say move them into a directory that is not accessible through the internet. So if your document root is /web make a directory /resume (or whatever you want). And serve up these pages using fpassthru and set the header appropriately. So...
$filename = "resume.doc"
$fp = fopen("/resume/" . $filename, "r");
if ($fp)
{
header("Content-type: application/octet-stream\n
"Content-Disposition: attachment; filename=\"$filename\"\n" .
"Content-length: $file_size\n" .
"Connection: close");
fpassthru($fp);
exit;
}
Didn't test this but barring any typos it should work.
Hope that helps.
$filename = "resume.doc"
$fp = fopen("/resume/" . $filename, "r");
if ($fp)
{
header("Content-type: application/octet-stream\n
"Content-Disposition: attachment; filename=\"$filename\"\n" .
"Content-length: $file_size\n" .
"Connection: close");
fpassthru($fp);
exit;
}
Didn't test this but barring any typos it should work.
Hope that helps.
Sorry forgot to define the $file_size variable you can get that by using the stat function.
Sorry forgot to define the $file_size variable you can get that by using the stat function.
Also for security you can md5 encrypt the filename and pass that with the URL and if the decrypt fails you know the user was messing with the URL.
So...
$file = "resume.doc";
<A HREF="download.php?file=<?
and on the download.php page
if ($_REQUEST['key'] != md5($_REQUEST['file'])
{
print "Hey, sucka got out of here!<BR>\n";
}
Again didn't test this, but should work out.
So...
$file = "resume.doc";
<A HREF="download.php?file=<?
and on the download.php page
if ($_REQUEST['key'] != md5($_REQUEST['file'])
{
print "Hey, sucka got out of here!<BR>\n";
}
Again didn't test this, but should work out.
Sorry forgot a close ")"
if ($_REQUEST['key'] != md5($_REQUEST['file']))
{
print "Hey, sucka got out of here!<BR>\n";
}
if ($_REQUEST['key'] != md5($_REQUEST['file']))
{
print "Hey, sucka got out of here!<BR>\n";
}
heres a quick n downright effective file "push". could use some $REQUEST_URI testing to make sure the downloading person came from your site tho.
<a href=download.php?filename
--------------------------
<?php
if(isset($filename)){
if(file_exists("ufo/$filen
$size = filesize('ufo/$filename');
header("Content-Type: application/save");
header("Content-Length:".$
header("Content-Dispositio
header("Content-Transfer-E
$fh = fopen("ufo/$filename", "r");
fpassthru($fh);
}else{
echo "No file selected";
}
}else{
echo "<h1>Use the proper file selection method or get lost!</h1>";
}
?>
<a href=download.php?filename
--------------------------
<?php
if(isset($filename)){
if(file_exists("ufo/$filen
$size = filesize('ufo/$filename');
header("Content-Type: application/save");
header("Content-Length:".$
header("Content-Dispositio
header("Content-Transfer-E
$fh = fopen("ufo/$filename", "r");
fpassthru($fh);
}else{
echo "No file selected";
}
}else{
echo "<h1>Use the proper file selection method or get lost!</h1>";
}
?>
oh change ufo for testdownloads ... :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.