tags:

views:

98

answers:

2
+1  Q: 

Authentication / Denying access to files in directory with php

I have a directory of files that logged-in users can upload to and access. Some of the files are public, and others are private - for internal access only. The filenames and access settings are saved in a database.

Can anybody give me some resources or show me an example of how i can use session data (and .htaccess?) to allow access of private files only to authorized users?

I'm thinking it might be easier to keep public documents in a seperate, unprotected directory, though i'd kind of like to keep everything together.

I'm not concerned about top-level security or encryption, as the files aren't terribly sensitive, but i want to keep them from being indexed on search engines, etc.

thanks!

+1  A: 

I suppose I wouldn't use a .htaccess (or any kind of HTTP-authentication) for that : .htaccess / .htpasswd are great when you want to allow/deny access to a whole directory, and not to specific files.


Instead, I would :

  • Deny any access to the files -- i.e. use a .htaccess file, containing Deny from All
    • That way, no-one has access to the file
    • Which means everyone will have to use another way to get to the files, than a direct URL.
  • Develop a PHP script that would :
    • receive a file identifier (a file name, for instance ; or some identifier that can correspond to the file)
    • authenticate the users (with some login/password fields), against the data stored in the database
    • if the user is valid, and has access to the file (This is if different users don't have access to the same set of files), read the content of the file from your PHP script, and send it the the user.

The advantage is that your PHP script has access to the DB -- which means it can allow users to log-in, log-out, it can use sessions, ...


About the "send the file from PHP", here are a couple of questions that might bring some light :

Pascal MARTIN  2010-02-24 17:56:06
Thanks! i was considering an approach like this, but i was under the impression that "Deny from All" would also stop php from being able to interact with the files.
neil  2010-02-24 18:07:56
No : `Deny from all` has an impact on Apache ; but none on PHP *(as long as your PHP script is not in the directory that contains that `Deny from all`, of course, as your PHP script is served by Apache)*
Pascal MARTIN  2010-02-24 18:12:21
A: 

I'd create a custom index script in PHP -- something that would show the files dynamically. Use that to keep only the right files being listed -- afterwards, to further protect the files, fetch file contents dynamically -- Pascal MARTIN's links show you how to use PHP to control the file streaming, you can use that to block access from hidden files to users that aren't supposed to get to them.

henasraf  2010-02-24 18:00:12

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases