Protecting files with php

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

User avatar
lacroix13
New php-forum User
New php-forum User
Posts: 64
Joined: Thu Aug 22, 2002 1:07 am

Protecting files with php

Postby lacroix13 » Thu Jan 09, 2003 1:37 am

I build a site that has a login module verified against a mysql dbase.The users after login can upload some files.

How can i protect these files from being viewed and downloaded by people that are not logged in but know the path??

User avatar
Joan Garnet
Moderator
Moderator
Posts: 387
Joined: Sat Aug 03, 2002 2:56 am
Location: Mars
Contact:

Postby Joan Garnet » Thu Jan 09, 2003 5:27 am

Change permissions of the directory to 700 in your server.

User avatar
lacroix13
New php-forum User
New php-forum User
Posts: 64
Joined: Thu Aug 22, 2002 1:07 am

Postby lacroix13 » Wed Jan 15, 2003 1:57 am

this won't do.i dont need to protect a directory to be read only by me.

i want to store files uploaded by all the registered users but i want these files to be possible to be downloaded only by the users they were addressed to and not by anyone that knows the full path to them.

it's sort of an email attachement.they are protected to download by other people than the person to which they were addressed, aren't they
:?: :(

User avatar
Joan Garnet
Moderator
Moderator
Posts: 387
Joined: Sat Aug 03, 2002 2:56 am
Location: Mars
Contact:

Postby Joan Garnet » Wed Jan 15, 2003 4:17 am

You can create a dynamic login system that expires once the login check has been done.

You keep those logins and passwords in the database and when the user has logged in, the row is deleted.

You could even create a little program that creates this data automatically and send the URL via email to the requested user.

User avatar
lacroix13
New php-forum User
New php-forum User
Posts: 64
Joined: Thu Aug 22, 2002 1:07 am

Postby lacroix13 » Wed Jan 15, 2003 10:46 pm

YOU DONT UNDERSTAND!!!

I already have done the login, with sessions, and veriffications against a database table, I done the file upload.The only problem is how to protect these files from being downloaded by the addressee(the person it was addressed to).

It's like an attachement to an email.that can't be downloaded by someone else. :evil:

User avatar
WiZARD
Moderator
Moderator
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol
Contact:

Postby WiZARD » Thu Jan 16, 2003 7:00 am

Hi!
You may do next:
Give permission to directory only for you(admin), and whan you may a copy you do this under your rights. Procedure of coping running only under you, - nobody cannot do this.

Interesting you some time try to think?

User avatar
lacroix13
New php-forum User
New php-forum User
Posts: 64
Joined: Thu Aug 22, 2002 1:07 am

Postby lacroix13 » Thu Jan 16, 2003 1:07 pm

AGAIN, YOU DONT UNDERSTAND!!!

This site is a multiuser system.

From the begining:
*how does yahoo keeps email attachements so that only the person it was addressed to can download them???
*if you are not the addressee, you can't access the file even if you know it's full path (ie: http://www.mysite.com/files/prot/file.zip)

I'm asking this because if you type http://www.mysite.com/files/prot/file.zip you may download the file

Mh_0
New php-forum User
New php-forum User
Posts: 11
Joined: Thu Nov 14, 2002 7:13 am
Location: UK
Contact:

Postby Mh_0 » Mon Jan 20, 2003 7:47 am

How about authentication, give people usernames and authenticate them against the contents of the database?

I found this site useful, it told me how to encrypt peoples passwords, and then how to autenticate them before loading a page

its what I did for my site!

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Postby Redcircle » Wed Jan 22, 2003 12:16 am

lacroix13

Using the sessions create a session variable named $_SESSION['authorized'] and one as $_SESSION['access_level']

when a user is logged in give $_SESSION['authorized'] a value of one and whatever access_level you want them to.

on every restricted page have this code.

Code: Select all

session_start();
if(!isset($_SESSION['authorized']))
     $_SESSION['authorized'] = 0;
if(!isset($_SESSION['access_level']))
    $_SESSION['access_level'] = 0;

if($_SESSION['authorized']==1 && $_SESSION['access_level'] > 10)
{
//display page
}
else
{
//stuff they see if they are not authorized
}


do you kinda understand where I'm going with it?

TheIceman5
New php-forum User
New php-forum User
Posts: 28
Joined: Tue Jan 21, 2003 9:31 pm
Contact:

Postby TheIceman5 » Wed Jan 22, 2003 2:00 am

use .htaccess, write a php file that modifies this file.

User avatar
WiZARD
Moderator
Moderator
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol
Contact:

Postby WiZARD » Wed Jan 22, 2003 9:46 am

lacroix13 wrote:AGAIN, YOU DONT UNDERSTAND!!!

This site is a multiuser system.

From the begining:
*how does yahoo keeps email attachements so that only the person it was addressed to can download them???
*if you are not the addressee, you can't access the file even if you know it's full path (ie: http://www.mysite.com/files/prot/file.zip)

I'm asking this because if you type http://www.mysite.com/files/prot/file.zip you may download the file

Aha! understand!
All what you need to do:
Variant number 1:
1) placing some file in some directory for ex. /home/user/044Fd
2) protect this dir...
3) in PHP (with session) you do download this like ...df.com/file?=3546
4) in MySQL you have a table where some id (=3546) have a path to the real file /home/user/044Fd

Variant number 2:
You may have a permission manage .htaccess and create virtual directory....
Variant number 3:
Mixing V1 and V2 but other principles:
If you may manage session you may do next:
Your SID is virtual dir to the file....

Thats is solve of your problem, actually if you wish like in Yahoomail


Return to “PHP coding => General”

Who is online

Users browsing this forum: Bing [Bot] and 2 guests