Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I limit access to PDF files.

Posted on 2004-09-22
6
Medium Priority
?
320 Views
Last Modified: 2012-06-21
I have about 800 customers. I have prepared an online bill for each of them, which are actually PDF files.

I set up a php script, which asks for a user name and password, then gives the customers the necessary link to access the PDF bill.

That worked fine, until someone pointed out that all the PDF files are accessible, all you need is to know its name. Quite easy as the filename is "A/c No.pdf". Whoops.

My question is what should I have done to only allow access to the customers own bill?
0
Comment
Question by:MortimerCat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 12126540
You can go to fpdf.org. There is a pdf-creation script for PHP. An extension to the default fpdf (http://www.fpdf.org/en/script/script37.php) enables you to secure the pdf's with 2 pwds. read-pwd and readwrite-pwd.

Hope this helps.

regards

-r-

(Another solution would be to store all pdf's offline and create a getpdf.php file which checks authorization and passes the files through).
0
 
LVL 48

Expert Comment

by:hernst42
ID: 12126559
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 15

Expert Comment

by:nicholassolutions
ID: 12126700
both solutions are good. An alternative is to password-protect the pdf files themselves. If you are using acrobat 6, you do it like this:
Document --> Security --> Restrict Opening and Editing....

On earlier versions, I think it is in the file menu, but I can't remember.

This is good because you can keep cutomers from seeing other customers info also, and it doesn't take much programming effort on your part. The downside is you have to protect the files (probably manually) which may take a lot of time if you have a lot of customers.

Cheers,
Matt
0
 
LVL 1

Author Comment

by:MortimerCat
ID: 12127580
Thanks so far.  The Wazzup looks the most promising. I will try them out tomorrow and award points accordingly.
0
 
LVL 35

Accepted Solution

by:
gr8gonzo earned 1000 total points
ID: 12128467
I have done EXACTLY what you are describing (limiting customers to PDF bills), so here's one last suggestion that I know for sure works.

Even when you protect PDFs, they can be cracked with enough time and effort. To prevent people from ever getting access to the files in the first place, you can put the PDF files in a folder outside of the web root, and once the user has been authenticated, use PHP to deliver the PDF to the user's browser. So let's say the PDFs are saved in a folder called /files/pdfbills. Use the below function:

<?
// Authenticate the user first and figure out what PDF belongs to the user.
// For example, the file is /files/pdfbills/c1000-Sep-2004.pdf

// Now send the PDF to the user

   // If you want the PDF to just display in the user's browser, then use this line:
   DownloadPDF("/files/pdfbills/c1000-Sep-2004.pdf");

   // Otherwise, if you want them to be prompted to open or save it, use this line:
   DownloadPDF("/files/pdfbills/c1000-Sep-2004.pdf",1);


// And here's the function
function DownloadPDF($filename,$Download = 0)
{
      // Check filename
      if (empty($filename) || !file_exists($filename))
      {
          return FALSE;
      }
      // Create download file name to be displayed to user
      $saveasname = basename($filename);
      
      // Fix for SSL in IE
      header("Pragma: ");      
      header("Cache-Control: ");
      
      if($Download)
            header('Content-Type: application/octet-stream'); // Send binary filetype HTTP header
      else
            header('Content-Type: application/pdf'); // Send PDF filetype HTTP header
      
      // Send content-length HTTP header
      header('Content-Length: '.filesize($filename));
      
      // Send content-disposition with save file name HTTP header
      // (using workaround for MSIE 5.5 SP1 / MSIE 6.0 bugs/problems)
      if($Download)
      {
            if (IsSet($HTTP_USER_AGENT) && (preg_match('/MSIE 5.5/', $HTTP_USER_AGENT) || preg_match('/MSIE 6.0/', $HTTP_USER_AGENT)))
            {
                header('Content-Disposition: filename="'.$saveasname.'"');
            }
            else
            {
                header('Content-Disposition: attachment; filename="'.$saveasname.'"');
            }
      }
      else
      {
            header("Content-Disposition: inline; filename=\"" . $saveasname . "\"");
      }
      
      // Send Content-Transfer-Encoding HTTP header
      header('Content-Transfer-Encoding: binary');
      
      // Output file
      readfile($filename);
      
      // Done
      return TRUE;
}
?>

And make sure there's no other output or white space in this file.

- J
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question