We help IT Professionals succeed at work.

exposing protected files with PHP

Jerf asked
Medium Priority
Last Modified: 2010-05-18
I'm building a site for a client and they want to put some protected files on a server for members to download.  
We're using PHP because that's how the existing code is done.
The trick is they don't want non-members to be able to download the files.  Is there a tool in php that would let me stream a file out to a user?  I also need to preserve the file's extension so it can't be downloaded as a php file.  It could be a .doc or a .pdf or a .zip.  How about a package that I could install on the webserver?  The server will be an apache webserver running on Solaris.  I also have access to perl if I need it.
Watch Question

There is no package necessary, just a little script like this:

$file_path = "code/";  // supposed your code resides in this directory
$file = $file_path . $file;


// check user authentication here if not already done

$filename = basename($file);

$len = filesize($file);
header("content-type: application/stream");
header("content-length: $len");
header("content-disposition: attachment; filename=$filename");
$fp=fopen($file, "r");

This will offer the file for the user with the same filename and extention that you provide in $file. Be sure the code directory cannot be read by the user with a browser, i.e. protect it with .htaccess, or even better: place the files outside of your current webspace if the ISP allows that.

hope that will help


note that if you wish to protect your files, you mustn't  put them into the webserver directory otherwise
everyone could get them.

------your protected files
------your website

with the script above, you get the file from your website. The user will have a download box.
us111: this is exactly what I have told before: either to protect the directory with .htaccess or to put the files outside the webspace. Since not every ISP allow files outside the webspace, I offered both possibilites.
Please read the comments carefully before adding an own comment with the same content :-)


hehe true I didn't read all of your comment :))


Thanks, heddesheimer.  I'll give that a try.  If this works, I'll certainly be happy with it.  One question first.
I have done something like this in the past, but it was on an IIS server.  I ended up using an ISAPI filter to intercept the request and deal with it that way.  Is there a similar way to do this on apache?  I guess this is more of an apache question than a PHP one.
I'm not sure about ISAPI since I don't have used it myself. I have found some articles on the Net that may be of interest:
maybe that will be helpful.


  You really don't need a filter to do what you're talking about, the simple PHP code provided will work.  Using realms security (.htaccess) isn't very user friendly.  With PHP you could have a simple user table that denied/allowed access to the files/secured part of the site, as oppossed to going in putting them into the equivalent of a unix password file.  

FYI, to answer your question however, the equivalent of ISAPI in Apache, is to write an Apache module.  There are many existing modules that you can intall that will allow you to do what you're trying to do here, but again, PHP provides everything you need, and has less moving part, IMNSHO.


Thanks for your help.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.