Sorry to all if this is in the wrong forum, I'll move it if someone tells me where it should go.

I saw another poster discussing some files stored above the root ... well here's what was posted:

"I have a script which generates invoices as PDF files and stores above just above www level (so they cannot be access directly via a URL)."

How does this work (I would like to use this)? If the files cannot be accessed via a URL, how are they accessed?

Thanks,

Simon.

>Sorry to all if this is in the wrong forum
If your script is written in PHP, and your question is related to PHP/your script, then I would say that it's in the correct forum.

You can reference files outside the DocumentRoot in your PHP scripts. You can use either relative or absolute path names, since PHP can "see" the whole file system.

Yep, it's a PHP thingie then!

Right, so I store the files outside of the root. Users log on to the site and get the appropriate session details set. Then they browse to a page full of links to various files, PDFs and MP3s. Some files are public and everyone gets that list. Some files are private and only logged users see that list.

How should I form the URL to link to the private files and what's to stop a user returning to a file after they have logged off?

Thanks,

Simon.

you should put the public and private files into separated directory.
Create a script using directory functions available in PHP such as scandir() to list the directory content. You may protect this file using session so that only logged user may access it.

Ah ... now that's the bit I don't get ... how do I protect a file or a directory using PHP (general pointers ... not asking for it to be done for me!)?

I have a log in routine, the relevent session is set and that's fine, I can do anything I like inside a page using PHP to list information acoording to logged status.

So, say I list a load of links to a some mp3 files and some of these mp3s are only listed for logged on users ... what's to stop someone simply putting the URL for the mp3 file itself in? They would still get the file even if they were not logged in.

My code has to work on Windows IIS and Apache. I believe that I could accomplish this on a Linux machine with .htaccess but I don't have that luxury.

As a point of interest, will .htaccess work on sites hosted on my mac?

thanks for your help,

Simon.

using php the user neve sees the url of the file
and without a logged in session nothing

<?php /* download.php */
if(!session_id) { die ('only registered users'); } // better session validation than that but its a thought example
$hiddenfile="../absolutepath/$filename";
header('Content-type: file/mp3'); // I dunno and I'm too lazy to look up (audio/mpeg)?
header('Content-Disposition: attachment; filename="$filename"');
readfile("$hiddenfile");
?>

very poor code unchecked dont think it works its a concept example

<a href='download.php?$filename=whilemyguitar.mp3'>the beatles-while my guitar gently weeps</a>
<?php /* download.php */
if(!session_id) { $hiddenfile="../absolutepath/polkamusic.mp3"; } // evil laugh
else $hiddenfile="../absolutepath/$filename";
header('Content-type: file/mp3'); // I dunno and I'm too lazy to look up (audio/mpeg)?
header('Content-Disposition: attachment; filename="$filename"');
readfile("$hiddenfile");
?>

!logged_in users get polka music for every mp3 they download

commented: Very helpful, thank you. +1

Almostbob you are a star, thank you. The penny has finally dropped. This has vexed me for some years now and I finally get it thanks to your replies. Now, if someone could explain what the second number in a musical time signature means then I would be walking on air! :)

I love the idea of serving up polka music to hackers!

thanks,

Simon.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.