restrict files access with PHP

Question

vinnyroundfoot 0 Newbie Poster

16 Years Ago

Hi Everyone,

I will soon develop a web application (normally with PHP (cakePHP)) which should allow the users to view their related PDF files. Obviously, I dont' not want that users are able to view other user's PDF files (using for example URL rewriting). I'm looking for a solution for that issue.

I know that a can restrict access to directories (and thus files) using .htAccess but in this case, how can I use the login/password used by the user to log into the application ?

Can someone give me a solution or give me some guideline ?

Thanks

VinnyRoundFoot

php

3 Contributors
4 Replies
1K Views
4 Months Discussion Span
Latest Post 16 Years Ago Latest Post by nepeanmedia

w_3rabi 8 Junior Poster

16 Years Ago

you can use a php file in the url instead of the real pdf name.
this file should check the owner of the file then
prints the contents of the file (echo)
with the apropriate

header("content-type:");

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

vinnyroundfoot 0 Newbie Poster · Answer 1 · 2008-04-24T01:16:34+00:00

Thanks for your feed-back. I have followed your idea and after some search on google, I did what is following :

1. create a document directory on the server
2. inside this document directory, add an .htaccess file with these settings :

order deny,allow
allow from 127.0.0.1
deny from all

These settings should disable access to the directory except for the localhost. Thus PHP should only have access.

3. put a test.pdf file inside the document directory
4. create the following php file to access test.pdf

<?php
  $file = "test/test.pdf";
  header('Content-type: application/pdf');
  header("Content-Disposition: inline; filename=".$file);
  /*header("Content-Disposition: attachment; filename=".$file);*/
  header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
  header('Cache-Control: no-store, no-cache, must-revalidate');
  header('Cache-Control: pre-check=0, post-check=0, max-age=0');
  header('Pragma: anytextexeptno-cache', true);
  header('Cache-control: private');
  header('Expires: 0');
  readfile($file); 
?>

The code displays test.pdf inside your browser. If you want to "download" this file, use this line header("Content-Disposition: attachment; filename=".$file); instead of header("Content-Disposition: inline; filename=".$file); Now I still have to create some authenfication using php but I think that the concept is good.
Also, It should be useful to enforce the code to only display pdf files and not all kind of files, but It should not be a big deal.

hope it can help (even it is not perfect)

vinnyroundfoot 0 Newbie Poster · Answer 2 · 2008-04-24T01:27:26+00:00

I made a small mistake inside the php code.

Please read : $file = "document/test.pdf"; instead of $file = "test/test.pdf"; sorry

nepeanmedia 0 Newbie Poster · Answer 3 · 2008-09-03T21:33:38+00:00

you can use a php file in the url instead of the real pdf name.
this file should check the owner of the file then
prints the contents of the file (echo)
with the apropriate
header("content-type:");

I believe this is what I am looing for and it seems to be the way the moodle restricts unuathorised uploads - could you pinty me to a tutorial that develops this futher ?

cheers

paul