plodos Posted January 12, 2009 Share Posted January 12, 2009 <? include('dbconfig.php'); if(isset($_FILES['paper'])){ $file_name = $_FILES['paper']['name']; $file_ext = strtolower(substr($file_name,strrpos($file_name,"."))); $q = "insert into paper set title='{$_REQUEST['title']}', ext='$file_ext', user='{$_SESSION['id']}' "; $result = mysql_query($q); $fid = mysql_insert_id(); move_uploaded_file($_FILES['paper']['tmp_name'], 'sweet_papers/'.$fid.$file_ext); header('Location: http://'.$_SERVER['SERVER_NAME'].'/my_papers.php'); } ?> this code is saving the file inside of the sweet_papers with mysql insert id(file name) like http://www.mmmmmm.com/sweet_papers/67.pdf http://www.mmmmmm.com/sweet_papers/68.pdf http://www.mmmmmm.com/sweet_papers/69.pdf im using this for list the papers my_papers.php <? $q = "select paper.* from paper where paper.user={$_SESSION['id']} order by id desc"; $result = mysql_query($q); $opstr=array(); while($row=mysql_fetch_array($result)){ $opstr[]="<a href='sweet_papers/{$row['id']}{$row['ext']}'>{$row['title']}</a>"; } but everytbody can read this papers type the URL http://www.mmmmmm.com/sweet_papers/69.pdf you can read. how can I prevent this files from unwanted users. also I used Options -Indexes .htaccess for directory listing but is is not enough :-\ Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted January 12, 2009 Share Posted January 12, 2009 Why don't you create a login section where only someone with a username and password can access the files? Quote Link to comment Share on other sites More sharing options...
plodos Posted January 12, 2009 Author Share Posted January 12, 2009 i have the login system but if someone type the URL this link http://www.mmmmmm.com/sweet_papers/67.pdf they can see the contents. but http://www.mmmmmm.com/admin.php it is ptotect with sessions or http://www.mmmmmm.com/users.php how can I protect these papers Quote Link to comment Share on other sites More sharing options...
dennismonsewicz Posted January 12, 2009 Share Posted January 12, 2009 I am assuming you are using sessions to control your login information. Just put something like this at the top of your screen if(!$_SESSION) { //code displaying you must be logged in to view these papers } else { //code displaying paper } Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 12, 2009 Share Posted January 12, 2009 You need to dynamically output the documents using a php script. The link you porvide will be to that php script with a parameter on the end of the url that indicates which document should be output. That php script will check if the visitor making the request for that document is logged in and is permitted to access that document (in case you have access levels or limit access to "owners" of each document.) If the visitor is allowed to access the document that was requested, then the php script will output any necessary headers and read the correct document and output it to the browser. You will then need to disable browser access to the folder where the documents are located. The best was to do this is to move the folder to be outside your document root folder (closer to the root of the disk.) The second best way is to put a .htaccess file in the folder that prevents all http requests to the files in the folder. Quote Link to comment Share on other sites More sharing options...
plodos Posted January 12, 2009 Author Share Posted January 12, 2009 function gen_trivial($len = 6) { $r = ''; for($i=0; $i<$len; $i++) $r .= chr(rand(0, 25) + ord('a')); return $r; } $basename = gen_trivial(); $mypath="sweet_papers/$basename"; mkdir($mypath,0777,TRUE); /**************************************************************/ $now = time(); $date = date("Y-m-d H:i:s",$now); $file_name = $_FILES['paper']['name']; $file_ext = strtolower(substr($file_name,strrpos($file_name,"."))); $q = "insert into paper set title='{$_REQUEST['title']}', path='{$basename}' ,user='{$_SESSION['id']}', status='New', datum='$date' "; $result = mysql_query($q); $fid = mysql_insert_id(); move_uploaded_file($_FILES['paper']['tmp_name'], 'sweet_papers/'.$basename.'/'.$fid.$file_ext); ?> http://mmmmmmmmmm.com/sweet_papers/fxfxhe/69.pdf I make another directory inside of the seet_papers now the other users must guess the base directory name, paper name and also I change the listing papers like <a href='sweet_papers/{$row['path']}/{$row['id']}{$row['ext']}'>{$row['title']}</a> also I used Options -Indexes .htaccess for close directory listing is it good method? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.