Protecting files with php
Moderators: egami, macek, gesf
I build a site that has a login module verified against a mysql dbase.The users after login can upload some files.
How can i protect these files from being viewed and downloaded by people that are not logged in but know the path??
How can i protect these files from being viewed and downloaded by people that are not logged in but know the path??
- Joan Garnet
- Moderator
- Posts: 387
- Joined: Sat Aug 03, 2002 2:56 am
- Location: Mars
- Contact:
Change permissions of the directory to 700 in your server.
this won't do.i dont need to protect a directory to be read only by me.
i want to store files uploaded by all the registered users but i want these files to be possible to be downloaded only by the users they were addressed to and not by anyone that knows the full path to them.
it's sort of an email attachement.they are protected to download by other people than the person to which they were addressed, aren't they
: 
i want to store files uploaded by all the registered users but i want these files to be possible to be downloaded only by the users they were addressed to and not by anyone that knows the full path to them.
it's sort of an email attachement.they are protected to download by other people than the person to which they were addressed, aren't they


- Joan Garnet
- Moderator
- Posts: 387
- Joined: Sat Aug 03, 2002 2:56 am
- Location: Mars
- Contact:
You can create a dynamic login system that expires once the login check has been done.
You keep those logins and passwords in the database and when the user has logged in, the row is deleted.
You could even create a little program that creates this data automatically and send the URL via email to the requested user.
You keep those logins and passwords in the database and when the user has logged in, the row is deleted.
You could even create a little program that creates this data automatically and send the URL via email to the requested user.
YOU DONT UNDERSTAND!!!
I already have done the login, with sessions, and veriffications against a database table, I done the file upload.The only problem is how to protect these files from being downloaded by the addressee(the person it was addressed to).
It's like an attachement to an email.that can't be downloaded by someone else. :evil:
I already have done the login, with sessions, and veriffications against a database table, I done the file upload.The only problem is how to protect these files from being downloaded by the addressee(the person it was addressed to).
It's like an attachement to an email.that can't be downloaded by someone else. :evil:
- WiZARD
- Moderator
- Posts: 1240
- Joined: Thu Jun 20, 2002 10:14 pm
- Location: Ukraine, Crimea, Simferopol
- Contact:
Hi!
You may do next:
Give permission to directory only for you(admin), and whan you may a copy you do this under your rights. Procedure of coping running only under you, - nobody cannot do this.
Interesting you some time try to think?
You may do next:
Give permission to directory only for you(admin), and whan you may a copy you do this under your rights. Procedure of coping running only under you, - nobody cannot do this.
Interesting you some time try to think?
"Sex,Drugs and Rock&Roll " replaced at "Sucks,Bugs and Plug&Play";


AGAIN, YOU DONT UNDERSTAND!!!
This site is a multiuser system.
From the begining:
*how does yahoo keeps email attachements so that only the person it was addressed to can download them???
*if you are not the addressee, you can't access the file even if you know it's full path (ie: http://www.mysite.com/files/prot/file.zip)
I'm asking this because if you type http://www.mysite.com/files/prot/file.zip you may download the file
This site is a multiuser system.
From the begining:
*how does yahoo keeps email attachements so that only the person it was addressed to can download them???
*if you are not the addressee, you can't access the file even if you know it's full path (ie: http://www.mysite.com/files/prot/file.zip)
I'm asking this because if you type http://www.mysite.com/files/prot/file.zip you may download the file
How about authentication, give people usernames and authenticate them against the contents of the database?
I found this site useful, it told me how to encrypt peoples passwords, and then how to autenticate them before loading a page
its what I did for my site!
I found this site useful, it told me how to encrypt peoples passwords, and then how to autenticate them before loading a page
its what I did for my site!
lacroix13
Using the sessions create a session variable named $_SESSION['authorized'] and one as $_SESSION['access_level']
when a user is logged in give $_SESSION['authorized'] a value of one and whatever access_level you want them to.
on every restricted page have this code.
do you kinda understand where I'm going with it?
Using the sessions create a session variable named $_SESSION['authorized'] and one as $_SESSION['access_level']
when a user is logged in give $_SESSION['authorized'] a value of one and whatever access_level you want them to.
on every restricted page have this code.
Code: Select all
session_start();
if(!isset($_SESSION['authorized']))
$_SESSION['authorized'] = 0;
if(!isset($_SESSION['access_level']))
$_SESSION['access_level'] = 0;
if($_SESSION['authorized']==1 && $_SESSION['access_level'] > 10)
{
//display page
}
else
{
//stuff they see if they are not authorized
}
do you kinda understand where I'm going with it?
-
- New php-forum User
- Posts: 28
- Joined: Tue Jan 21, 2003 9:31 pm
- Contact:
use .htaccess, write a php file that modifies this file.
[flash width=300 height=100 loop=true]http://newbieslair.baselair.com/iceman.swf[/flash]
Administrator Newbieslair http://www.newbieslair.com
Administrator Newbieslair http://www.newbieslair.com
- WiZARD
- Moderator
- Posts: 1240
- Joined: Thu Jun 20, 2002 10:14 pm
- Location: Ukraine, Crimea, Simferopol
- Contact:
lacroix13 wrote:AGAIN, YOU DONT UNDERSTAND!!!
This site is a multiuser system.
From the begining:
*how does yahoo keeps email attachements so that only the person it was addressed to can download them???
*if you are not the addressee, you can't access the file even if you know it's full path (ie: http://www.mysite.com/files/prot/file.zip)
I'm asking this because if you type http://www.mysite.com/files/prot/file.zip you may download the file
Aha! understand!
All what you need to do:
Variant number 1:
1) placing some file in some directory for ex. /home/user/044Fd
2) protect this dir...
3) in PHP (with session) you do download this like ...df.com/file?=3546
4) in MySQL you have a table where some id (=3546) have a path to the real file /home/user/044Fd
Variant number 2:
You may have a permission manage .htaccess and create virtual directory....
Variant number 3:
Mixing V1 and V2 but other principles:
If you may manage session you may do next:
Your SID is virtual dir to the file....
Thats is solve of your problem, actually if you wish like in Yahoomail
"Sex,Drugs and Rock&Roll " replaced at "Sucks,Bugs and Plug&Play";

