File upload / Download for authenticated users

BrettskiWork used Ask the Experts™

The following assumes I have an a user in an authenticated session..

I understand how an upload to a file directory works.. What I want to know is how once that file is uploaded, do I only make it available to that user..

Say I upload it to:

Whats to stop another user trying to download that file if they guess the URL? how do I make it a little more secure with my php / mysql site & authentication so only that user can download the file? Should I store it in the MySql database or can some security be implemented at the file system level..


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007
check this out:

and you will need to refer the location of your htpasswd file in your httpd.conf

hope this helps.
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!


re: http:Q_21131507.html

so what url shows up on the download then if it is a url that can't be directly accessed? Or does just the filename show?
Top Expert 2007

you can use download.php?file=/user1/file.doc as URL and implement that check in download.php
but if you do that, the user will know the location of the file right?
unless, you password-protect that folder,
and also do the checking in download.php, then it will do double authentication...
What I usualy do is to store in a DB which user has uploaded what. I save the files in one directory where the direct access through http is denied or say outside the web space.
so in the DB I have
file_id auto_increment

and then the download should go through a php script say
in that file you have to check if the file with ID 5 is uploaded by this user and then pass the file
$file is the file name from the DB
$uploaddir is the directory of the uploaded files
header("Content-type: application/x-something");
header("Content-Disposition: attachment; filename=".$file);
$filename = $uploaddir.$file;
if (file_exists($filename))

you have to be careul though...
how about something like this..... just a guide, fill in the coding

for uploading.....

$save_file_as = md5($password.$upload_filename).$user; /* save the file as an extensionless md5 hash lets see someone (a) guess the name and (b) be able to access it through a browser */
$add_file_name_to_user_db = $upload_filename; /* save the real filename to the user database for accessing it later */

for accessing the file.......

$temp_filename = md5($password.$filename_from_user_db).$user); /* recreate our md5 hash */
copy($temp_filename,$filename_from_user_db); /* create a copy of the extensionless md5 hash file and save it as our filename*/

now you have a copy to play with, just remember to delete it when you have finished using it, even better read the $temp_filename into a tmpfile() and the copy will delete itself at end of script (or with fclose), you can even perform rollback operations etc if you append the file.


Well, sounds like its a little "hacky" anyway we go..

naskovoto ?? Why did you say you have to be careful with your script?

May end up just storing them in a database, maybe an easier way to go, and I can do things like version control etc..

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial