TalkPHP
Home Forums Articles Glossary Awards Register Rules Members Search Today's Posts Mark Forums Read
 
 
 
Account Login
Latest Articles
» The basic usage of PHPTAL, a XML/XHTML template library for PHP
by awuehr on 11-10-2008 in Tips & Tricks
» Vulnerable methods and the areas they are commonly trusted in.
by Village Idiot on 11-04-2008 in Classes & Objects
» Simple way to protect a form from bot
by codefreek on 10-23-2008 in Basic
» The Basics On: How Session Stealing Works
by wiifanatic on 09-12-2008 in Security & Permissions
» How to keep your forms from double posting data
by drewbee on 07-03-2008 in Tips & Tricks
IRC Channel
IRC Speech Bubble Join the friendly bunch on IRC...
(#TalkPHP on Freenode)

...Also available via a web interface.

See this thread for information on the TalkPHP Free Hugs Initiative™. Subject to availability.
Associates
Associates
CSS Tutorials
TalkPHP > Developer Forums > Advanced PHP Programming » File Security/Restriction System
Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 12-03-2007, 07:44 PM   #1 (permalink)
The Visitor
 
Erutan409's Avatar
 
Join Date: Sep 2007
Posts: 4
Thanks: 4
Erutan409 is on a distinguished road
Default File Security/Restriction System
Is there anyway to control file access with PHP? For example, would it be possible to restrict users from downloading a file from my website unless they're logged in? I'm sure this would have to do with some sort of file system rights on the server end. Would this incorporate .htaccess? I've been wondering if this were possible for quite some time. I've written a script that tracks both streaming and downloading of media files on my website. It isn't solid though. Someone could easily navigate to where the file is on my website and stream/download it without having to get it through my script.
Erutan409 is offline   		Reply With Quote
Old 12-03-2007, 08:21 PM   #2 (permalink)
La Vida es Sueño
Advanced Programmer Top Contributor 
 
Wildhoney's Avatar
 
Join Date: Sep 2007
Location: Oldham
Posts: 2,280
Thanks: 90
Wildhoney is on a distinguished road
Default
I'm sure there will be a way, but I'm not so sure what that would be. Most people simply cloak the URL to the file and then use PHP to load it in using the header function. I've put you together a script that shows you how to achieve that.

Fundamentally, what it does is checks the file they're after, strips the forward slashes to prevent against relative directory trawling, checks to see it if exists, if it does then it will prompt the user to download the file.

I have even added a little mod-rewrite which allows the URL to look like so: /file/my_file.zip.

php Code:
define('FOLDER_DOWNLOAD', './downloads/');

if(isset($_GET['download']))
{
    $szFile = str_replace('/', '', urldecode($_GET['download']));

    if(file_exists(FOLDER_DOWNLOAD . $szFile))
    {
        header('Content-type: application/zip');
        header('Content-Disposition: attachment; filename="' . $szFile . '"');
        readfile(FOLDER_DOWNLOAD . $szFile);
    }
}
Attached Files
File Type: zip Download.zip (808 Bytes, 8 views)
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
Send a message via AIM to Wildhoney Send a message via MSN to Wildhoney Send a message via Yahoo to Wildhoney
Wildhoney is offline   		Reply With Quote
The Following 2 Users Say Thank You to Wildhoney For This Useful Post:
Erutan409 (12-03-2007), Nor (12-04-2007)
Old 12-03-2007, 09:00 PM   #3 (permalink)
Moderateur
RegEx Guru PHP Guru Top Contributor Advanced Programmer 
 
Salathe's Avatar
 
Join Date: Apr 2007
Posts: 1,393
Thanks: 5
Salathe is on a distinguished road
Default
Quote:
Originally Posted by Erutan409 View Post
Someone could easily navigate to where the file is on my website and stream/download it without having to get it through my script.
Keep the files in a non-web-accessible folder; either use .htaccess to block requests or throw the files into a folder below the web root.

Folder below web root
If the main folder for your site is /home/salathe/public_html/ then store the files outside of that folder; e.g., /home/salathe/file_store/ This way, it's simply not possible to type an URL which equates to the location of that folder!

Block access with .htaccess file
There are various ways you could achieve this but here's just one of them. Put a .htaccess file in the folder storing the files (e.g. /home/salathe/public_html/files/), with the following content.
htaccess Code:
Order deny,allow

Deny from all



Since you're using PHP to output the files (with authorisation checking, etc.) then it doesn't matter where the files are stored in the server so long as PHP can read them. :)
Salathe is offline   		Reply With Quote
The Following User Says Thank You to Salathe For This Useful Post:
Erutan409 (12-04-2007)
Reply

« Previous Thread | Next Thread »


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 05:52 PM.

 
     
Contact Us - TalkPHP - PHP Community - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Inactive Reminders By Icora Web Design