A JM

My users login via credentilas stored in mysql they are not users on the server. I have files that I want them to be able to download as long as they are logged in. I use an Iframe on my main page to show the files in the directory that I want the users to be able to download from. My problem seems to be stemming from my "groups" that I'm using or something isn't passing correctly to the Iframe - as long as you are logged in as a member of the "administrator" group the file download works but if you are in the "adjuster" group it doesn't??? The adjuster is allowed to login to the main page just not download a file from the IFrame. This is my current routine I'm using to check user credentials on my main page along with the Iframe link: <?php //initialize the session if (!isset($_SESSION)) { session_start(); } // ** Logout the current user. ** $logoutAction = $_SERVER['PHP_SELF']."?doLogout=true"; if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){ $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']); } if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){ //to fully log out a visitor we need to clear the session varialbles $_SESSION['MM_Username'] = NULL; $_SESSION['MM_UserGroup'] = NULL; $_SESSION['PrevUrl'] = NULL; unset($_SESSION['MM_Username']); unset($_SESSION['MM_UserGroup']); unset($_SESSION['PrevUrl']); $logoutGoTo = "../index.html"; if ($logoutGoTo) { header("Location: $logoutGoTo"); exit; } } ?> <?php if (!isset($_SESSION)) { session_start(); } $MM_authorizedUsers = "administrator,adjuster"; $MM_donotCheckaccess = "false"; // *** Restrict Access To Page: Grant or deny access to this page function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { // For security, start by assuming the visitor is NOT authorized. $isValid = False; // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. // Therefore, we know that a user is NOT logged in if that Session variable is blank. if (!empty($UserName)) { // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. // Parse the strings into arrays. $arrUsers = Explode(",", $strUsers); $arrGroups = Explode(",", $strGroups); if (in_array($UserName, $arrUsers)) { $isValid = true; } // Or, you may restrict access to only certain users based on their username. if (in_array($UserGroup, $arrGroups)) { $isValid = true; } if (($strUsers == "") && false) { $isValid = true; } } return $isValid; } $MM_restrictGoTo = "manage.php"; if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) { $MM_qsChar = "?"; $MM_referrer = $_SERVER['PHP_SELF']; if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&"; if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) $MM_referrer .= "?" . $QUERY_STRING; $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer); header("Location: ". $MM_restrictGoTo); exit; } ?> The Iframe html from the main page: <iframe src="adj_file_list.php?ID=<?php echo $colname_rstConfirm; ?>" name="filelist_frame" width="500" height="175" frameborder="0"></iframe> This is the php from the IFrame page: <?php //initialize the session if (!isset($_SESSION)) { session_start(); } $recordID= $_SESSION['port_recordID']; //variable comes from detail page only used to carry claimnumber $path = "../claims/" . $recordID . "/"; ?> <?php $dir = dir($path); while($file = $dir->read()) { if($file != '.' && $file != '..') { echo "<form method='post' action="?><?php echo" ><a href= /pages/download.php?file=$file&recordid=$recordID> $file </a></form>"; } } ?> Any help would be appreciated on this. Thanks. A JM,

Well I think I've resolved all the problems let me know what you think. From the main form I'm setting the variable for $recordID using a $_SESSION and it is retrieved form the actual recordset. $recordID= $_SESSION['port_recordID']; //variable used to carry claimnumber Then in the Iframe I just get the variable from the $_SESSION['port_recordID'] $recordID= $_SESSION['port_recordID']; Using that scenario all my problems disappeared... what do you think? should I run into any problems with the $_SESSION variable; do I need to do anything in particular with it before or after its use? <?php //initialize the session if (!isset($_SESSION)) { session_start(); } $recordID= $_SESSION['port_recordID']; //variable comes from detail page only used to carry claimnumber $path = "../documents/" . $recordID . "/"; if(isset($_GET['delete']) && $_GET['delete']=='true') { $fname = $_GET['deletefile']; $fID = $_GET['recordid']; $path = '../documents/' . $fID . '/'; //print_r($path.$fname); //exit; unlink($path.$fname); header('location: adm_file_list.php'); die(); } ?> <?php $dir = dir($path); while($file = $dir->read()) { if($file != '.' && $file != '..') { echo "<form method='post' action="?><?php echo $_SERVER['PHP_SELF'].'?delete=true&recordid='.$recordID.'&deletefile='.$file;?> <?php echo" ><a href= /dbpages/download.php?file=$file&recordid=$recordID> $file </a> <input type='submit' value='Delete'></form>"; } } ?>

I'm still pretty new to the game... how would you go about using it? On the parent if (!isset($_SESSION)) { session_start(); } $_SESSION['myvar']='123456'; Then can I simply use the variable on the Iframe? echo "Our color value is ".$_SESSION['myvar']; What happens if the user uses the back button, etc? do I need to worry about clearing the $_SESSION? Thanks.

I have an Iframe variable that I want to be set from a recordset populating my parent form and am having a problem with this. The parent form uses the following as a label: <?php echo htmlentities($row_rstocdetail['formnumber'], ENT_COMPAT, 'utf-8'); ?> I want my Iframe to be able to use the same information but I cant seem to get the variable to pass. Since the form on the parent is not submitted I can't use $_POST so I'm at a bit of a loss... this has to be easy I'm just missing something obvious here. Any help would be appreciated. Thanks. A JM,

Since I'm working on this at the moment and trying to finish it up I found one last item. Hopefully you'll login tonight Wolfrage... When I uncomment the last 2 lines of the script after deleting the file unlink($path.$fname); header('location: adm_file_list.php'); die(); this is the error that is generated: The issue is somehow related to "adm_file_list.php" being in an iframe and I'm trying to refresh it since it has one less file to delete. I don't understand what I'm doing wrong? This is the last piece to the puzzle andI think this can be put to bed... Thanks. A JM,

Passing the variable through the form again works...? I don't understand that? <?php $dir = dir($path); while($file = $dir->read()) { if($file != '.' && $file != '..') { echo "<form method='post' action="?><?php echo $_SERVER['PHP_SELF'].'?delete=true&recordid='.$recordID.'&deletefile='.$file;?> <?php echo" ><a href= /dbpages/download.php?file=$file&recordid=$recordID> $file </a> <input type='submit' value='Delete'></form>"; } } ?>

Wolfrage, I finally got it!!! user error as usual... I wasn't including the path in the readfile() function. <?php $file = $_GET['file']; // the absolute path to your directory storing your files. $path = '/home/download/'; $download = $file; //header("Pragma: public"); //header("Expires: 0"); //header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); //header("Content-Type: application/force-download"); //header( "Content-Disposition: attachment; filename=".$download); //header( "Content-Description: File Transfer"); //header('Accept-Ranges: bytes'); //header('Content-Length: ' . filesize($file)); //@readfile($file); $type=explode('.',$download); $type=$type[1]; header('Content-type: application/'.$type); header( "Content-Disposition: attachment; filename=".$download); readfile($download); ?> NEW <?php $file = $_GET['file']; // the absolute path to your directory storing your files. $path = '/home/download/'; $download = $file; //header("Pragma: public"); //header("Expires: 0"); //header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); //header("Content-Type: application/force-download"); //header( "Content-Disposition: attachment; filename=".$download); //header( "Content-Description: File Transfer"); //header('Accept-Ranges: bytes'); //header('Content-Length: ' . filesize($file)); //@readfile($file); $type=explode('.',$download); $type=$type[1]; header('Content-type: application/'.$type); header( "Content-Disposition: attachment; filename=".$download); readfile($path.$download); ?> I'll now refine the script for my application. Many thanks for all your help, guidance and suggestions with this... A JM, [EDIT] I am still having a slight problem and its with passing variables. This now works perfectly "except" the variable $recordID is not available for use after testing with "if(asset" even though it is gotten originally with $_GET['ID'] and set to $recordID - when I submit the form the variable is blank. I thought every object on the form would be available, what am I missing here? <?php $recordID= $_GET['ID']; $path = "../claims/" . $recordID . "/"; if(isset($_GET['delete']) && $_GET['delete']=='true') { $fname = $_GET['deletefile']; $path = '../claims/' . $recordID . '/'; print_r($path.$fname); exit; //$location=realpath('../claims/' . $recordID . '/'); //chdir($location); //unlink($path.$fname); //header('location: adm_file_list.php'); die(); } ?> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> </head> <body> <?php $dir = dir($path); while($file = $dir->read()) { if($file != '.' && $file != '..') { echo "<form method='post' action="?><?php echo $_SERVER['PHP_SELF'].'?delete=true&deletefile='.$file;?> <?php echo" ><a href= /dbpages/download.php?file=$file&recordid=$recordID> $file </a> <input type='submit' value='Delete'></form>"; } } ?>

Well since I was able to upload a file using php I was also assuming I would be able to delete a file using php, not. With an .htaccess file similar to what you posted this is what I get. Same goes for downloading the file - man this has got me hung up... Essentially I've got everything working working except now I don't have permissions... help... :'(

OK, .htaccess works 2/3 of the way, I can upload files via php and php can list the files but how do I allow my user(s) to download the file and at some point delete the file? I'm kind of stuck in a catch 22... A JM,

Doesn't .htaccess only have impact on users that are actually logged into the machine? Since my users are web based and only allowed to login if the have credentials in mysql how can that work? could it be that simple? A JM,

Right... so how do I do this... this is my dilemma. Any thoughts or suggestions on how to accomplish? A JM,

I think this is starting to look like a folder permission issue...? The pathing looks good, but I don't see anything showing up in the logs. I guess it needs to be asked to what permissions should a folder above root be set to? Since PHP is reading and writing the files does that have some impact on that? Thanks,

If I were to use realpath() like so: $location=realpath('../index.html); print_r($location); exit; What would that look like - /www/index.html ?

WolfRage, I may have found the problem.. when I downloaded the file I noticed it was 237K and not 110K like the original, so I opened the downloaded file with a text editor and this is what I found. My link was setup like this: <a href= http://mydomain.com/dbpages/download.php?file=chart.pdf> testing</a> The file reside in /home/files/ so how do I format the link correctly? A JM,

I pulled them off of the server and they seem to be OK - the file in particular is a PDF. Is there another way that I can make this happen? A JM,

Very strange about the corruption... and stripping the few lines down to what you are using didn't help. <?php $file = $_GET['file']; // the absolute path to your directory storing your files. $path = '/home/claims/'; $download = $file; //header("Pragma: public"); //header("Expires: 0"); //header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); //header("Content-Type: application/force-download"); //header( "Content-Disposition: attachment; filename=".$download); //header( "Content-Description: File Transfer"); //header('Accept-Ranges: bytes'); //header('Content-Length: ' . filesize($file)); //@readfile($file); $type=explode('.',$download); $type=$type[1]; header('Content-type: application/'.$type); header( "Content-Disposition: attachment; filename=".$download); readfile($download); ?> Is there a better way to make this happen - this would be perfect for what I'm needing...? Also, is there a file type that this process is limited to like only .jpg's? Thanks,

I realize we've moved a little off topic so I appreciate you sticking with this. Correct me if I'm wrong: 1) From an upload perspective since the files are above the webroot they are not accessible from the web, so I would consider that secure? 2)With the script in place and working correctly, the users are verified before being able to login and download and they will not have access to the folder for browsing but only through the link that is given for them to download the file? I've incorporated the download script (http://www.phpfreaks.com/forums/index.php/topic,95433.0.html) and it seems to be doing its job correctly however the file that is downloaded is corrupt, any ideas on why that might be? The only thing on this download.php page is PHP scripts for authorization as I've attached below. <?php //initialize the session if (!isset($_SESSION)) { session_start(); } // ** Logout the current user. ** $logoutAction = $_SERVER['PHP_SELF']."?doLogout=true"; if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){ $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']); } if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){ //to fully log out a visitor we need to clear the session varialbles $_SESSION['MM_Username'] = NULL; $_SESSION['MM_UserGroup'] = NULL; $_SESSION['PrevUrl'] = NULL; unset($_SESSION['MM_Username']); unset($_SESSION['MM_UserGroup']); unset($_SESSION['PrevUrl']); $logoutGoTo = "../index.html"; if ($logoutGoTo) { header("Location: $logoutGoTo"); exit; } } ?> <?php if (!isset($_SESSION)) { session_start(); } $MM_authorizedUsers = ""; $MM_donotCheckaccess = "true"; // *** Restrict Access To Page: Grant or deny access to this page function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { // For security, start by assuming the visitor is NOT authorized. $isValid = False; // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. // Therefore, we know that a user is NOT logged in if that Session variable is blank. if (!empty($UserName)) { // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. // Parse the strings into arrays. $arrUsers = Explode(",", $strUsers); $arrGroups = Explode(",", $strGroups); if (in_array($UserName, $arrUsers)) { $isValid = true; } // Or, you may restrict access to only certain users based on their username. if (in_array($UserGroup, $arrGroups)) { $isValid = true; } if (($strUsers == "") && true) { $isValid = true; } } return $isValid; } $MM_restrictGoTo = "../logon.php"; if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) { $MM_qsChar = "?"; $MM_referrer = $_SERVER['PHP_SELF']; if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&"; if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) $MM_referrer .= "?" . $QUERY_STRING; $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer); header("Location: ". $MM_restrictGoTo); exit; } ?> <?php $file = $_GET['file']; // the absolute path to your directory storing your files. $path = '/home/filefolder/'; $download = $file; header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Content-Type: application/force-download"); header( "Content-Disposition: attachment; filename=".$download); header( "Content-Description: File Transfer"); header('Accept-Ranges: bytes'); header('Content-Length: ' . filesize($file)); @readfile($file); ?>

WolfRage, Thanks for the explanation things are a little clearer. I'm curious about moving the storage folder outside of the webroot to eliminate access directly to the folder. I think this will work but am curios about creating links to the documents what do you use for pathing so the user can download or open the document? I also so an interesting concept by MadTechie for limiting access to files from the outside (http://www.phpfreaks.com/forums/index.php?topic=257191.0) what do you think about that? Thanks. A JM,

Thanks Wolfrage, I finally got a working prototype... now I'd like to lock it down and have it be more secure. Looking back at your script what is it that your doing, verifying that the file exists before attempting to delete it? <?php $file=explode('=',clean($_POST['file'])); if($file[0]==='file'){ $file=$_SESSION['project_scope'].'/'.$file[1]; $var=realpath($file); if(strpos($var,$_SESSION['project_scope'])!==FALSE) { unlink($var); $var=basename($var); echo $var.' was successfully deleted.'; } } ?> I believe I understand what you mean - don't display the full path to the file being linked or deleted. How would you suggest I go about this given the script below? I understand your point, I think this may als be related to my question above with regard pathing... <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" " http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <?php $path = "../temp/" . $_GET['ID'] . "/"; if(isset($_GET['delete']) && $_GET['delete']=='true') { print_r($_POST['pathfile']); exit; //unlink($_POST['pathfile']); header('location: adm_file_list.php'); die(); } ?> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> </head> <body> <?php $path = "../temp/" . $_GET['ID'] . "/"; $dir = dir($path); while($file = $dir->read()) { if($file != '.' && $file != '..'){ echo "<form method='post' name='filedelete' action="?><?php echo $_SERVER['PHP_SELF'].'?delete=true';?> <?php echo" ><a href= $path$file >$file</a> <input type='hidden' name='pathfile' value= $path$file><input type='submit' value='Delete'></form>"; } } ?> </body> </html>

Been banging on it for a while now and could use some help?? I made some changes and have not yet gotten to the validation pieces or hiding the pathing, just trying to get a simple list of files at the moment. I'm a little confused - in the while statement there is the if statement to eliminate "." and ".." from the file list but they are showing up? <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <?php if(isset($_GET['delete']) && $_GET['delete']=='true') { print_r(unlink("../claims/" . $_GET['ID'] . "/".$_POST['filedelete'])); exit; //unlink("../temp/" . $_GET['ID'] . "/".$_POST['filedelete']); header('location: adm_file_list.php'); die(); } ?> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> </head> <body> <?php $path = "../temp/" . $_GET['ID'] . "/"; $dir = dir($path); while($file = $dir->read()) { if($file != '.' && $file != '..') echo "<form method=\"post\" name=\"filedelete\" action="?><?php echo $_SERVER['PHP_SELF'].'?delete=true';?><?php echo" > <a href= $path$file >$file</a> <input type=\"submit\" value=\"Delete\"><br/>"; else } ?> </body> </html> Any help would be appreciated... A JM,

Gotcha ignace.. thanks. I was just making sure I wasn't missing something... I'll start down the path of using a hiddentext object and see if I can make some progress. So, I'm clearly thinking about this - since the user needs credentials to login to the main page before they can even see the list of files to delete on the Iframe, is this acceptable? Also, I understand that I should eliminate paths that the user will see and they should only see the current path for the file deletion. WolfRage - I get an error on the clean() function is this a PHP function or a custom routine? $file=explode('=',clean($_POST['file']));

ignace, I do use a table for user logins to the site and the user is validated by username and password. ignace - with regard to using a table to store paths and file names, etc. just deleting the record from the table doesn't delete the file from the server - so the server would end up with a bunch of abandoned files, correct? WolfRage - you knew it was coming... I understand the script and that it requires a $_POST variable 'file' to be passed. Could I do this with a hiddentext object? would that make sense? when the user clicks the button the file and path are passed to the page and then retrievable by $_GET()? mjdamato - I also see now the errors in what I posted. Since I'm new to this - how would one go about performing the above?

I hate to reinvent the wheel... How do others handle similar situations? I mean there are all kinds of sites that allow users to upload and delete files from directory's how are they doing? Any links or documents of how to implement? Thanks.

I meant to also note that this page is an Iframe and in fact does limit the user by using the $user = $_SESSION['username']; I believe that it will work correctly this way, the user logs into the site and needs permission to see the main page and my Iframe is embedded in the main page. Of this entire project that I've been working on and subjecting the list to numerous questions of the "file" routines have been the worst and most time consuming, there has to be easier ways to get things like this done, arrgh.. WolfRage , your point brings me to .htaccess, cant' this be achived by an .htacess file? From what I've been reading .htacees can restrict the user and perform the operations that I want but the downfall I see is that the user has to have credentials on the box - correct me if I'm wrong. Having credentials on the box are not the same as a $user = $_SESSION['username'];... A JM,

mjdamato, Thank you for your constructive criticism. I can see now that there are issues with how I was trying to implement this script. My problem still persists that I need to find a way to allow a user logged into the system to be able to delete a file that exists in a particular directory, securely. Do you have some suggestions on how I should go about achieving this? Thanks for you input. A JM,