Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
<?php
session_start();
$permission=$_SESSION["permission"];
if(!$permission=="yes") {
echo 'You are not allowed to access this page. Please access this page through our <a href="/index.php">Client Login Page</a>';
echo '<script language="javascript" src="/include/javascript/logon_unsuccessful.js"></script>';
}
?>
This works great for html docs, but what about downloads? How do I protect those?
if ( !$permission == "yes" )
{
//blah blah blah
}
else
{
//set the content-type to whatever the correct PDF type is... lookup the header() function
//readfile('the_pdf_file_that_should_be_in_a_non-public_directory.pdf');
}
Hope that helps, I'll expound on something if you need me to
if ( !$permission == "yes" )
{
//blah blah blah
}
else
{
//set the content-type to whatever the correct PDF type is... lookup the header() function
//readfile('the_pdf_file_that_should_be_in_a_non-public_directory.pdf');
}
Hope that helps, I'll expound on something if you need me to
I think I follow you. The problem is, this would work for a pdf, but not for an html doc. This means I need two different header.php files; one to handle the html docs and one to handle the pdfs. I don't think .htaccess/auto_prepend_file can differentiate between file types that it's being attached to.
BUT
Your idea led me to another way to do this;
I put all pdfs in a non-public directory like you said, and link all pdfs downloads to a "download.php" file within a public directory. Point the link, like "<a href='download.php?myspecs.pdf'>LINK</a>". Have the download.php file include the redirect code (if !$permission), and do the readfile() from there using $_GET.