directory protection with php

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jchibbra
Forum Newbie
Posts: 11
Joined: Wed Apr 30, 2003 5:48 pm

directory protection with php

Post by jchibbra »

Hi Folks,


I am new php developper in the community. Before posting I read some article about authentication, directory protection and did some research but I didn't find anything to solve my problem.

Let me explain my requirement:

This is how the website works and what I want:
there is an authentication with php/mysql (login/passwd). when the user is authenticated I know his group (eg: group1 or group2 or group3).
Now I have 3 directories which are group1 group2 and group3.
I would like users from group1 been able to access all the groups (group1, group2 and group3), user from group2 been able to access group2 and group3 and user form group3 been able to access only group3.
The last constraint is that I don't want to ask again for a login/pass (like .htaccess which ask for a login and pass).

The purpose of this restriction is that in each directories (group1, group2 and group3) there are images. I would like to avoid user to have access to their content by typing the path in the url (eg: http://www.mysite.com/group1/image1.png) That is why I need some restriction.

Is there any way to use php to protect access to these directory?
If you have any idea to implement that could you let me know.

Thank you very much for your help

Akeold
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

you might pass each request for an image thru an php-script that checks permissions and then delivers the data or not.
That would result in links like http://www.mysi.te/image.php?g=1&image=1
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

To stop anyone opening an image by typing in the full path .htaccess might be the only 100% option.

With no .htaccess, anyone can open an image by typing in the full path & image name - but it might not be very likely that they WOULD actually know (or guess) all that.

With .htaccess protected groupX folders, you should be able to avoid repeated authentication requests if your scripts create URLs like:

http://name:pass@www.yoursite.com/group ... hp?var=etc

Would you need to urlencode() names and passes which you pass in the URL? Not entirely sure if they'd be automatically decoded again at the other end. If names and passes don't contain any spaces or special chars it won't matter (could be tough on O'Reilly).

You can also store images in a mysql database, allowing you to control delivery entirely from php. Always seemed kinda daft to me to put images in a db - but maybe here's a valid reason to do it.
Last edited by McGruff on Wed Apr 30, 2003 7:49 pm, edited 2 times in total.
jchibbra
Forum Newbie
Posts: 11
Joined: Wed Apr 30, 2003 5:48 pm

Post by jchibbra »

[quote="volka"]... and then delivers the data or not.
That would result in links like http://www.mysi.te/image.php?g=1&image=1[/quote]

How do I deliver the data?? with header (......)
For exemple the guy clik on the link http://www.mysi.te/image.php?g=1&image=1.
I ckeck the access and it is correct. How do I open the picture ?

Thanks again
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

bump - been editing the post above
jchibbra
Forum Newbie
Posts: 11
Joined: Wed Apr 30, 2003 5:48 pm

Post by jchibbra »

Thank you guys for you help.

I am just going to explain why I need to restrict the access.
I am working on a web site where people subscribe an access for a month (they paid every month until they cancel their subscription) and have access to several galleries. If someone take the most expensive subsciption he will access all the galleries thus the next month he can unsubscribe and he will be able to access all the galleries if I don't check the access. That is how someone can know the url.

Thanks again for your help.
Post Reply