Good evening everyone. I'm just starting to learn PHP. I'm creating a very simple login script that will allow my customers to login and view their invoices which are saved as PDF files. I've created the script and everything works fine when the PDFs are stored on the Apache server. I'm running ubuntu server 10.04 with LAMP. I have written a VB.NET program which my sales team uses to track info about the customers - including invoices, so the invoices are always saved on a Samba share on the same server. I'm wondering how to go about displaying a PDF file located in another directory.
Currently I have
Apache
|-WWW
|-Invoices
| |- Smith, Joe - Invoice.pdf
| |- Williams, Mike - Invoice.pdf
|- InvoiceLogin.php
|- Invoices.php
InvoiceLogin.php is simple form Invoices.php access MySQL and then shows only current user file(s) as a link to /Invoices/FILE. My problem with this is that anyone can circumvent the login by navigating to mydomain.com/Invoices/Smith, Joe - Invoice.pdf, allowing to view any invoice if they know the first and last name of the customers.
Does anyone have any suggestion on what I should do to remove the Invoices folder. All invoices are currently save in \\SERVER\Customer Source\Files\Customer Documents already.
Thank you for all suggestions,
-R
Displaying customer invoices (PDF) on PHP site
Moderator: General Moderators
- MindOverBody
- Forum Commoner
- Posts: 96
- Joined: Fri Aug 06, 2010 9:01 pm
- Location: Osijek, Croatia
Re: Displaying customer invoices on PHP site
Hm, my advice is to change your code a bit. Upon making invoice, hash PDF's filename with md5 or sh1 or both algorhitms, and add it to user's database table column. Advice is to hash name with some private information, like password or somewhat. Upon users login, just read hash value from DB, and get that pdf. This is bit secture, becouse if someone want to see users invoice, should know his private data, or even method you used to hash filename. Hope this helped! 
Re: Displaying customer invoices (PDF) on PHP site
I'm done what you suggested, however the user can still access the pdf without signing in. I want to force the user to login everytime. Similar to how banks work. I can't copy and paste my "account summary" page and revisit the link later without logging in. I use this as a general example, that I'm sure everyone can relate to.
Thanks
Thanks