Security for certain files/directory
Posted: Wed Sep 13, 2006 12:50 pm
Hi, I'm really new to PHP. Basically I'm setting up a few things for my work. I'm adding a feature that lets clients login and view certain .xls files and what not. It will be their results that our company provides for them...
So I've almost got the login part of it done, I don't think I'll have too hard of a time getting the rest setup, but now that I'm thinking about it, I think I have a problem.
Client A needs to access his .xls files.
Client B needs to do the same thing.
All the files are stored in, let's say, /clientfiles directory.
I need to make it so only Client A can access his files and no one else's files.
Maybe I can make it a bit clearer. Client A logs in with the username and password I provide him (he can change his pass). On the next page it says welcome so and so and you have X amount of results ready for download. I was thinking I was just going to generate the link using php according to what the filename is in the mySQL database. So anyway, he clicks the link that lists all the results .xls files to download...
Let's say they're all stored at http://www.mydomain.com/clientfiles. So he has 3 files listed there:
http://www.mydomain.com/clientfiles/file1.xls
http://www.mydomain.com/clientfiles/file2.xls
http://www.mydomain.com/clientfiles/file3.xls
Now, what is to stop him, and anyone else to just going to http://www.mydomain.com/clientfiles/ and seeing all the files in that directory and being able to download them? Is there a way I can fix this so only the logged in client can access only those files? Or am I going to have to do something totally different as a solution?
Any help is much appreciated. I really don't know too much about PHP, so far I've been using tutorials and using "trial and error" changing the code here and there to suit my needs. I do know HTML like the back of my hand, so I do understand the basics and how PHP functions, I just don't know the commands, etc, for it yet. Thanks again.
So I've almost got the login part of it done, I don't think I'll have too hard of a time getting the rest setup, but now that I'm thinking about it, I think I have a problem.
Client A needs to access his .xls files.
Client B needs to do the same thing.
All the files are stored in, let's say, /clientfiles directory.
I need to make it so only Client A can access his files and no one else's files.
Maybe I can make it a bit clearer. Client A logs in with the username and password I provide him (he can change his pass). On the next page it says welcome so and so and you have X amount of results ready for download. I was thinking I was just going to generate the link using php according to what the filename is in the mySQL database. So anyway, he clicks the link that lists all the results .xls files to download...
Let's say they're all stored at http://www.mydomain.com/clientfiles. So he has 3 files listed there:
http://www.mydomain.com/clientfiles/file1.xls
http://www.mydomain.com/clientfiles/file2.xls
http://www.mydomain.com/clientfiles/file3.xls
Now, what is to stop him, and anyone else to just going to http://www.mydomain.com/clientfiles/ and seeing all the files in that directory and being able to download them? Is there a way I can fix this so only the logged in client can access only those files? Or am I going to have to do something totally different as a solution?
Any help is much appreciated. I really don't know too much about PHP, so far I've been using tutorials and using "trial and error" changing the code here and there to suit my needs. I do know HTML like the back of my hand, so I do understand the basics and how PHP functions, I just don't know the commands, etc, for it yet. Thanks again.