rashmisharma Posted February 18, 2009 Share Posted February 18, 2009 Hello! I have a serious security issue. Suppose my site URL is http://www.abc.com Now I have a secure admin panel folder xyz in it and ant this folder contains a subfolder where I storing the uploaded .pdf files and only after providing a valid username & password one can download these pdfs. But if user types the direct URL in browser http://www.abc.com/xyz/pdfFolder/filename.pdf Then he easily access that pdf without any authentication. Please help me. I had searched a lot on it but don’t find any solution. Everywhere I found .htaccess file as a solution but if I do that then I wont b able to download that file even after authentication, it says a corrupted pdf file. Its Really very urgent! Thanks for any help Quote Link to comment Share on other sites More sharing options...
gizmola Posted February 18, 2009 Share Posted February 18, 2009 The best way is to write a delivery script in php. All the .pdf files should be stored outside of the webroot. Your delivery script should accept a variable like the filename to download. It will then get the script from it's directory using one of the file opening techniques and return the contents. You do need the script to return the proper mime header for a .pdf using the Header() function. Because this is a script opening the file and returning it, the script can do a check first to insure the user has logged in. I won't cover that, but typically it is handled through the use of php sessions. You can set a session variable that the delivery script checks at the top, and it will give the user an error if they're not logged in, or redirect them to the login page. Quote Link to comment Share on other sites More sharing options...
rashmisharma Posted February 18, 2009 Author Share Posted February 18, 2009 then how do i access that folder to display pdf files to registerd users? Quote Link to comment Share on other sites More sharing options...
lostprophetpunk Posted February 18, 2009 Share Posted February 18, 2009 You could always use a simple zip program like winrar to zip up the files with a password, in which the user can be given when they enter their username password. Quote Link to comment Share on other sites More sharing options...
gizmola Posted February 18, 2009 Share Posted February 18, 2009 then how do i access that folder to display pdf files to registerd users? Did you read my post carefully? I outlined the technique you need. Read this page carefully ---- http://us.php.net/manual/en/function.readfile.php Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.