Protecting files with php

[lacroix13]

I build a site that has a login module verified against a mysql dbase.The users after login can upload some files.

How can i protect these files from being viewed and downloaded by people that are not logged in but know the path??

[Joan Garnet]

Change permissions of the directory to 700 in your server.

[lacroix13]

this won't do.i dont need to protect a directory to be read only by me.

i want to store files uploaded by all the registered users but i want these files to be possible to be downloaded only by the users they were addressed to and not by anyone that knows the full path to them.

it's sort of an email attachement.they are protected to download by other people than the person to which they were addressed, aren't they
:

[Joan Garnet]

You can create a dynamic login system that expires once the login check has been done.

You keep those logins and passwords in the database and when the user has logged in, the row is deleted.

You could even create a little program that creates this data automatically and send the URL via email to the requested user.

[lacroix13]

YOU DONT UNDERSTAND!!!

I already have done the login, with sessions, and veriffications against a database table, I done the file upload.The only problem is how to protect these files from being downloaded by the addressee(the person it was addressed to).

It's like an attachement to an email.that can't be downloaded by someone else. :evil:

[WiZARD]

Hi!
You may do next:
Give permission to directory only for you(admin), and whan you may a copy you do this under your rights. Procedure of coping running only under you, - nobody cannot do this.

Interesting you some time try to think?

[lacroix13]

AGAIN, YOU DONT UNDERSTAND!!!

This site is a multiuser system.

From the begining:
*how does yahoo keeps email attachements so that only the person it was addressed to can download them???
*if you are not the addressee, you can't access the file even if you know it's full path (ie: http://www.mysite.com/files/prot/file.zip)

I'm asking this because if you type http://www.mysite.com/files/prot/file.zip you may download the file

[Mh_0]

How about authentication, give people usernames and authenticate them against the contents of the database?

I found this site useful, it told me how to encrypt peoples passwords, and then how to autenticate them before loading a page

its what I did for my site!

[Redcircle]

lacroix13

Using the sessions create a session variable named $_SESSION['authorized'] and one as $_SESSION['access_level']

when a user is logged in give $_SESSION['authorized'] a value of one and whatever access_level you want them to.

on every restricted page have this code.

Code: Select all

session_start();
if(!isset($_SESSION['authorized']))
     $_SESSION['authorized'] = 0;
if(!isset($_SESSION['access_level']))
    $_SESSION['access_level'] = 0;

if($_SESSION['authorized']==1 && $_SESSION['access_level'] > 10)
{
//display page
}
else
{
//stuff they see if they are not authorized
}


do you kinda understand where I'm going with it?

[TheIceman5]

use .htaccess, write a php file that modifies this file.

[WiZARD]

AGAIN, YOU DONT UNDERSTAND!!!

This site is a multiuser system.

From the begining:
*how does yahoo keeps email attachements so that only the person it was addressed to can download them???
*if you are not the addressee, you can't access the file even if you know it's full path (ie: http://www.mysite.com/files/prot/file.zip)

I'm asking this because if you type http://www.mysite.com/files/prot/file.zip you may download the file

Aha! understand!
All what you need to do:
Variant number 1:
1) placing some file in some directory for ex. /home/user/044Fd
2) protect this dir...
3) in PHP (with session) you do download this like ...df.com/file?=3546
4) in MySQL you have a table where some id (=3546) have a path to the real file /home/user/044Fd

Variant number 2:
You may have a permission manage .htaccess and create virtual directory....
Variant number 3:
Mixing V1 and V2 but other principles:
If you may manage session you may do next:
Your SID is virtual dir to the file....

Thats is solve of your problem, actually if you wish like in Yahoomail