Protecting a folder

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
hame22
Forum Contributor
Posts: 214
Joined: Wed May 11, 2005 5:50 am

Protecting a folder

Post by hame22 »

Hi people

I have a member service (php session login) where members can prurchase credits and then exchange these for PDF downloads.

All the PDF's are held within a particular folder

In the standard way in order to download/access the pdf a member must be logged in and have sufficient credits else they are forced to error pages.

However if somebody knew the address to where the PDF's are kept they would have complete access to these products without ever having registered or purchased credits...which obviously is a bit of a problem to the business!!

I was hoping whether any of you knew any good techniques and methods to protect this folder from "intruders" while linking in with my current PHP login and credit scripts???

Thanks in advance, this would be a life saver!!!

alex
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

I was thinking about something completely different during reply and need to remove this post so that I don't confuse people.
I appologize. :oops:

Keep reading for the suggestion I should have given.
Last edited by JAM on Thu Sep 01, 2005 9:48 am, edited 1 time in total.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

The other very common option is to stored the files outside the webroot, but never copy them over. Instead a "download.php" script exists that will check permissions, etc and then send the appropriate headers for the download type and simply pass the contents of the file through.
hame22
Forum Contributor
Posts: 214
Joined: Wed May 11, 2005 5:50 am

Post by hame22 »

ok that makes alot of sense

so from what u are saying i place the folder of pdf's outside the webroot.....

......then i have my download script as at present which checks login and if they have sufficient credits....

and lastly instead of at present where my header(Location:...) redirects to a pdf in a folder inside my web root it will redirect to this new folder outside of the webroot?

is my interpretation correct?

thanks for you help
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

hame22 wrote:and lastly instead of at present where my header(Location:...) redirects to a pdf in a folder inside my web root it will redirect to this new folder outside of the webroot?
Almost, you can't redirect to a folder outside the webroot, you can send varous Content-Type headers and pass the file through,

Something like: (from the PHP manual for header().

Code: Select all

<?php
// We'll be outputting a PDF
header('Content-type: application/pdf');

// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

// The PDF source is in original.pdf
readfile('original.pdf');
?>
(This is a near working version for PDFs... as the manual says this has some problems with older version of MSIE.

Of course, you'd need to change the 'original.pdf' to the full path to the file outside the webroot.
hame22
Forum Contributor
Posts: 214
Joined: Wed May 11, 2005 5:50 am

Post by hame22 »

forget what i just wrote i'v fixed it!!
Post Reply