Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I am creating a website with information that is available to download by PDF.
Users will log in to an "account" area and depending upon who they are different PDF downloads will be made available.
The problem is once the directory containing the downloads is known, users could guess at the download filenames.
Is there any way that PHP can pass a username and password to a directory protected with .htaccess? If there is I could create different folders and once a user logs into to their "account" area in PHP I could record their username and password and direct them to a folder that is protected by .htaccess without them having to login again!
why not store the pdf's off somewhere else, and use a downloader script? If the pdf's were stored outside the document root, then the files can't be downloaded directly via guessing or any other form, they'd require access to the server's file system.
I am not entirely sure what you mean by a "downloader script" When you say somewhere out of reach I figure you mean somewhere above the root in the server directory structure.
a downloader script is a script you link through to fetch something you wish to download. You request xyz from it, it returns the file corresponding to xyz. It does not give the path information, just returns the file itself, along with some additional headers.
I think this is taking me beyond my current knowledge of PHP could you give me any advice on what sort of functions I need to use to create a "downloader script"
your searching powers will be needed... but you don't need that much of them, because we have talked quite often about this type of problem in this forum..