Hey everyone, I don't even know where to begin with this. I need to limit folder access to only those members who are allowed to access them. For example, I'm creating a folder /5/ within a folder called /orderreports/ for the order id 5. I need to check which user in my database has access to that folder (I know how to do that much..), but then I need to limit all of the folders in /orderreports/ so that they can only be accessed by those who area allowed. Any ideas on where to start?
Encrypted 0 Junior Poster in Training
Usernamex235 0 Junior Poster in Training
Hey,
Set up a password protected directory with your web host/on your server.
There's no point explaining it all here, googe "apache(or IIS) password protected directory". Or click here:
You'll notice the first link to the official apache documentation page here:
- http://httpd.apache.org/docs/2.0/howto/auth.html
Or there is a more friendly how-to guide here:
http://www.thesitewizard.com/apache/password-protect-directory.shtml
- http://httpd.apache.org/docs/2.0/howto/auth.html
Just make sure you follow the instructions carefully and it should be straightforward!
All the best :)
jeeter19 -2 Light Poster
Beginning of your page you can see if the user has the correct access level.
If they do: Let them stay and load the page.
If they don't: Redirect them to whichever page you'd like.
Below is just pseudo-code, but you should get the idea:
<?php
if ($userAuth < 1)
header('index.php');
?>userAuth could be a variable that you filled with the value from a query against the database that determined their access level on that page.
Hope this helped!
Usernamex235 0 Junior Poster in Training
@jeeter19
Wouldn't that still allow access to directories via uri? For example if the "sensitive" file was located at example.com/files/abc.doc what's to stop someone (or a bot) finding that file by going to example.com/files/abc.doc, thus bypassing any php pages that would link to it if logged in?
@poster
If you don't want to go down the "secured directories" route, you could get PHP to build/serve docx/png files from secured database content. EG storing the content of the doc in a db and building the file as neccessary when requested. You could store images in a long blob field, this might be the best solution to your problem :)
You could even get PHP to generate those files on-the-fly once a user is authorised.
Encrypted 0 Junior Poster in Training
@jeeter19 that doesn't help at all. I want to protect the files, not the directory.
@Rade Mind explaining that a bit better? I'm not quite sure where you're going.
Edit: Well, I know where you're going.. but I'm not sure how to execute that.
Usernamex235 0 Junior Poster in Training
You can store (relatively small) files such as documents in a mysql database in a "BLOB" (binary long object) field and then query them as easily as a normal string. It's actually easier than it may seem at first, believe me ;)
Here is a brilliant tutorial:
http://php.about.com/od/phpbasics/ss/mysql_files.htm
Once done, you can simply do
if (user logged in)
{
sql to serve file...;
}
else
{
echo "You do not have permission to view this file";
}
It shouldn't take you long to get it up and running but if there are any problems do report back.Watch out on the last page though - you probably don't want to delete the files after serving them!
Let us know how it goes or if there's anything else :)
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.