Page 1 of 1

.htaccess and php -not creating/editing, just communicating

Posted: Tue Jul 26, 2005 7:03 pm
by fosco
Ok, so I am going ever so quietly mad with this one.
I've been working to relatively secure some downloads for a friend of mine. They have log ins that I've helped them with and that is all fine.

The directory with the download files in it has been restricted by me with .htaccess and such and that works fine, but what I want to do is have a php script pass the username and password for the directory without it being seen by the user.

So, they log in, get access to the page listing the downloads then click on a download and the php script passes the username and password for the protected directory to the server without the user seeing either the password or the username as there is one username and password for the user (specific to the user) and 1 for the directory (which is the same no matter who is using the site).

I hope it's possible. If not, is there some sly workaround I could use?

Cheers for any help you can give.

Posted: Tue Jul 26, 2005 7:06 pm
by timvw
You can easily create your own script that generates an index of the files in the directory... And then generate a link to each of these files in the style of download.php?file=filen_name... And then write a simple download.php script...

thanks, but

Posted: Tue Jul 26, 2005 7:18 pm
by fosco
hi, thanks for the swift reply, but it doesn't really help me
I am not having a problem with displaying the downloads or even with the downloading of them with php, my problem is with securing them.
I'm not going SSL or anything. The security doesn't need to be genius proof, but does need to stop people from simply typing in the direct link and getting the download, so I enabled .htaccess and limited it to 1 'user'.
Many users use the site each with their own log in, what I want to do, is once they are logged in (which is $_SESSION based) I want them to have access to the files protected by the .htaccess, without them seeing, having access to or knowing the username and password for the directory holding the downloads. Is there a way of doing this, of having php do the loggin in (to the password protected directory) giving the user access to the files, but not the username and password of the directory?

If you can, please help.

I don't mind securing the downloads in another way, but don't want to add each user to a group file for the .htaccess.

Posted: Tue Jul 26, 2005 8:26 pm
by timvw
I never mentionned you should use .htaccess... I did not even say you should put them in a public place..

Keep them away from the public, and only offer them from a php script. In that way you can use your already existing php authentication mechanism.. And don't need to look at .htaccess

outside the public directory?

Posted: Tue Jul 26, 2005 8:35 pm
by fosco
hello,
thanks again for the swift reply
from your other reply, I thought you'd missed something from my post, sorry

I thought about putting them outside the public directory on the server, but had been told by the host company that you can't access files outside the public directory

could you tell me a way to enable them to be accessed via php then, when they are outside the public directory?

I'm not new to php, but am by no means an expert

Thanks for the help you've already given and for any further help you can give me

Posted: Wed Jul 27, 2005 8:18 am
by timvw
Well, when he says they are outside the public directory, people can't request http://example.com/movie.avi..

That is exactly what you want ;)


Now if you use a script like http://timvw.madoka.be/programming/php/download.txt you can easily read a file from a different location (outside the public directory) and pass it to the visitor.. (Offcourse you want to check if they are logged etc first...)

ok, one last question

Posted: Wed Jul 27, 2005 8:45 am
by fosco
Thanks for all the help, much appreciated

one last question would be, how would I find out the path to the files?

If I have put them outside public access eg outside (domain.com directory) in, say, downloads directory, where would I point to in the script you linked to?

Is there a norm?

Posted: Wed Jul 27, 2005 8:51 am
by timvw
You can choose wherever you want...

Your directory layout could be like

Code: Select all

/home/user/www
/home/user/www/moviez
+ tim.avi
/home/user/www/public
+ download.php
So people can surf to http://example.com/download.php

And download.php would be configured to pass fe '/home/user/www/moviez/tim.avi'..

Now all you need to do is make the code a little more dynamic.. And you're ready to go :)

Posted: Wed Jul 27, 2005 10:30 am
by fosco
:lol:

Fantastic.
Sorted it out now.

Many, many thanks.