Protecting files / directory using PHP

[Atom-G]

Hi all,I've searched a lot about that, received a lot of opinions, but still, I'm unable to

• Do what someone told me, cause I don't see how to do it
• OR, won't do what they suggested me, cause it is not "real" protection

This is the problem: How to protect files (and perhaps directories, but at least accessing a file) from a "NOT LOGGED USER". So if the user is not logged, he won't be able to reach that file by typing the adress in his browser, for example: http://mywebsite.com/files/thefile.zip. However, if the user have logged in, he will be able to download it.What people suggested:

• Create directory with name that it is "impossible" for someone to reach it. example: <a href="http://mywebsite.com/eafeakljfhefeaklfh/thefile.zip" target="_blank">http://mywebsite.com/eafeakljfhefeaklfh/thefile.zip</a>. I really don't like this idea... it is still possible to reach it... and I don't want to create those kind of folders...
• Put a file in a private directory on the server and make it available to only the admin. (modify the CHMOD) I like this idea, but I DON'T know how to do it. Like, I put a file that I can only access (I = admin). So if a user try to access it by a web link, I verify the session (if he is logged). If yes -> then (now this is the problem) have a PHP function that will download the file for the user (I don't know any php function that do this). I think that perhaps if it is me that call the php function on server side, it will consider myself the admin in the CHMOD.

Or is there ANY other solution? and good SECURE solution (to prevent people to reach by adress bar any file)? By using PHP and sessions.I know how to protect a folder and ask a username and password (like logging in windows) but this is not what I want... and it is not the power of "session" php offers.THANK YOU! A LOT!

[DeathRay2K]

I think you could put the files in a database and access them with PHP, but I personally don't know how to do that...

[Little Goat]

do you use an ftp client? if so, you could probably just set the permissions on the folder to whatever you need. I'm not sure what permissions are what, so you might want to read up on that.

[murfitUK]

Why not have a log in page and post the username and password to a page called (for example) downloadpage.php.Then the downloadpage.php would start something like:<?phpif (($_POST['username']=="myusername") && ($_POST['password']=="mypassword") {login is successful so you could have a link to the file eg print "<a href='filetobedownloaded.zip'>click here</a>"; }else {login in not successful so the page will only show eg print "You need to log in first"; }or if you want to use sessions and have a method of starting a session called for example "authorised"="yes" then you only need to stick this in the start of any page that you want to use:session_start();if (@$_SESSION['authorised'] != "yes"){header("Location: login.html");exit;} which will redirect to the login page if not already logged in.In the top example you would need a method of retrieving the username and password from a database unless your really wanted everyone to use the same username and password.

[aquatsr]

I think the best way to do it is to store encrypted passwords in a database and have the user input username and pass and check it against the database.You will need:A MySQL databasePHPA browserYou will need to make:A table that can store username and encrypted passwordA script that allows access depending upon username and pass entered and checkedA part of that same script that boots guests and unauthorized access attempts.You will need to:Add the access script on all pages you want to protect, pages must have a .php extension.

[Atom-G]

First of all, thx a lot for all those nice reply.I have a server that can do:- FTP server- MySql- PHPSo this is a good start .All the idea you gave here, is what I already did (I should have mentionned before..). It is good idea. BUT, is this will prevent someone to put exactly this in is adress bar?http://mysite.com/download/thefiles.zip ?No (or if YES, then explain please.. cause I don't understand )So, I am already able to show link or not if the user is logged, or not.Let's say that fileplanet (where we can download a lot of games), we could only find the good adress and type it in to get the demo we want or the full game we want. We would never need any log in, and hackers would have find this way loooooooong ago.I'm pretty sure their is something that can be done with the CHMOD. Like in this screenshot, I can modify on my FTP server those settings ->So perhaps I could only let access to ME, the admin of sites, and give permission to access the files by a php function or somehting... welll, this is where I'm stuck...

I think you could put the files in a database and access them with PHP, but I personally don't know how to do that...

I think we cannot put files like .zip or .jpg in a database.Thx for all the help again!

[boen_robot]

There are only 2 ways I can think of.1. For FTP, the user can use URLs, but the URL itself will be:

ftp://mysite.com/download/thefiles.zip

and upon download, the user will be requred for username and password.2. The other way I can think of is simple HTTP authentication.http://httpd.apache.org/docs/2.2/howto/auth.htmlBut it requres you to have control over your server's configuration, or at least being allowed .htaccess and .htpasswd files.Both of those methods have one major disadvantage. There is no way (as far as I'm fammiliar with) to add extra protection against robots, such as captcha. Because of this drawback, you're still vulnerable, though this does offer some initial protection.The only way to secure a file is to NOT use a URL (not a public one anyway) to retrieve it.If the file was on your own server, you can use PHP to get it from the file system (outside the document root) after the user has passed certain PHP security authentications.

[justsomeguy]

You can store whatever information you want in a database, including files, but it makes for a really really big database.What I would do is first set the permissions on the folder so that only the PHP process can access the folder. Then have a download page that gets the filename to download, something like this:download.php?fileid=10if you want to look up the filename in the database, ordownload.php?file=thefiles%2Ezipif you don't care if the name of the file is in the URL. The first way is more secure. The download.php page can check if you are logged in, and if so, it will read the file and send it directly to the client. It's better not to just offer a link to download, or redirect, because the client still sees the URL (and, since permissions are set, they won't be able to access it anyway). So, you would send the appropriate headers to send the file, send the mime type, file size, filename, and then send the actual file like this (taken from the php.net reference for header):

<?php header("Cache-Control: public, must-revalidate");header("Pragma: hack");header("Content-Type: " . $mime_type);header("Content-Length: " .(string)(filesize($downloadfile)) );header('Content-Disposition: attachment; filename="'.basename($downloadfile).'"');header("Content-Transfer-Encoding: binary\n");				   $fp = fopen($downloadfile, 'rb');$buffer = fread($fp, filesize($downloadfile));fclose ($fp);				   print $buffer;?>

You would set the $mime_type and $downloadfile variables yourself. This way would ensure that the client never even sees the URL of the actual file, and you could name the folder anything you want and block anonymous access to it.

[DeathRay2K]

I like your way, but what should the directory be CHMODed to allow PHP to access the file without allowing the user to do so, and I would recommend using a .htaccess file to have a more friendly user than blah.php?download=62839 could simply be download/file.zip and be redirected to a page for you to download it from.

[justsomeguy]

It would probably best to create the directory using PHP (so that PHP is the owner, or else just use CHOWN), and then give the owner read/write access and the other groups nothing. You would still want to do some testing to make sure that everything is cool though.