[PHP] Working with password protected folders

[CeruleanCowboy]

Hey guys,

I'm doing a project for a client that would like to upload files to a password protected directory for their own clients to login and browse. Can I use PHP to access specific protected folders and upload the files or list them for the client? If so, how? I've checked Google and can't find anything. By the way, I'm using .htaccess to redirect all pages (except for documents like pdfs) to the index, so while people won't be able to access the index of files without logging in, if they know the address of the specific files they'll be able to get them. What do I do? Thanks!

[samg]

you can setup htaccess with passwords for certin folders, then block it to certin IP's.

Google htpasswd

[Kudos Veteran]

You could move the files outside the web directory and pipe them to users through a php script, everything would have to go through php, and so everything would be controlled.

/k

[CeruleanCowboy]

how exactly would i set that up jon?

i could use an htaccess file to redirect all calls to an index page saying that they aren't authorized to view the index, but how exactly would i allow users to download pdfs, etc. from folders located within the scope of the htaccess file? i don't want anyone to be able to put in the direct address to the file and download it, bypassing the entire login script.

unless, are you talking about putting them in a folder instead of /public_html/? how could i generate those folders and access them with PHP?

[Kudos Veteran]

You could run something like this from your web root (public_html), obviously this is just a very basic mockup.

$path = "../storage/";
$file = $path . urlencode($_GET['file']);
header('Content-Disposition: attachment; filename="whatever you want to call your file.thing"');
header("Content-Type: application/force-download");
readfile($file);

You can do a lot of different things with headers, above is just the basics for what you should need.

All it's missing is the database/session checking really.

/k

[CeruleanCowboy]

i assume that if i was running that script in the folder /root/public_html/ or /root/www/ then it would access /root/storage/?

is there any way to select a file from that folder with a direct path instead of navigating the folders with ".."?

[Simon Thulbourn]

  Quote

You could run something like this from your web root (public_html), obviously this is just a very basic mockup.

$path = "../storage/";
$file = $path . urlencode($_GET['file']);
header('Content-Disposition: attachment; filename="whatever you want to call your file.thing"');
header("Content-Type: application/force-download");
readfile($file);

You can do a lot of different things with headers, above is just the basics for what you should need.

All it's missing is the database/session checking really.

/k

Erm a tad insecure...

file.php?file=../../../../../etc/passwd

Be sure to parse the inputted file name.

[Kudos Veteran]

  Simon Thulbourn said:

Erm a tad insecure...

file.php?file=../../../../../etc/passwd

Be sure to parse the inputted file name.

  Kudos said:

... obviously this is just a very basic mockup ...

Correct, i was presuming the filename would be passed through a db query to check permissions, not just directly linked. This was just a simple starting point.

  CeruleanCowboy said:

i assume that if i was running that script in the folder /root/public_html/ or /root/www/ then it would access /root/storage/?

Exactly

  CeruleanCowboy said:

is there any way to select a file from that folder with a direct path instead of navigating the folders with ".."?

You could use the full pathname, using ".." makes it more portable though.

/k