[thelist] File Security

Carl Meyer cjmeyer at npcc.net
Mon Mar 22 22:58:10 CST 2004


hi JP,

On Mon, 22 Mar 2004 live4bacon at optonline.net wrote:
> Good day, I have, say, 3 clients each having their own secure area.  In
> this area the client would be able to upload/download files to/from me.
[snip]
> How can I keep someone from downloading files directly from this folder?

You have two options.  One is to simply use HTTP Basic authentication, and
protect the directory the files reside in (use a .htaccess file under
Apache).
                                                                                
If you want to handle the authentication in your own scripts, then you need
to place the secured files outside the server root.  Your script, after
verifying their permission to access the file, can pass the file through to
their browser using something like the PHP readfile() function.  Note that
you'll likely have to set some HTTP headers manually for the browser to
handle the downloaded file the way you want[1].  Also, you may have to be
tricky with your URLs if you want the default filename for the user's
download to be correct.  With Apache/PHP, you can use a URL like this:
                                                                                
http://www.example.com/download/file.php/SomeDocument.xls
                                                                                
to trick the browser into using the name SomeDocument.xls (you can get to
that value in your script via $_SERVER['PATH_INFO']).  This is lots nicer
than
                                                                                
http://www.example.com/download/file.php?file=SomeDocument.xls
                                                                                
which most browsers will try to download as
"file.php?file=SomeDocument.xls".

HTH
                                                                                
Carl
               



More information about the thelist mailing list