benphp Posted April 3, 2009 Share Posted April 3, 2009 I'm creating a file-sharing - web collaboration site, and I have all the files in an /upload/ directory. I want people who are logged in to be able to download http://www.mysite.com/upload/thedocument.doc for example, but if someone who isn't logged in tries to enter the url: http://www.mysite.com/upload/thedocument.doc it won't work. Is there a way to do that? Quote Link to comment https://forums.phpfreaks.com/topic/152452-how-to-allow-download-of-files-only-if-logged-in/ Share on other sites More sharing options...
mrMarcus Posted April 3, 2009 Share Posted April 3, 2009 I'm creating a file-sharing - web collaboration site, and I have all the files in an /upload/ directory. I want people who are logged in to be able to download http://www.mysite.com/upload/thedocument.doc for example, but if someone who isn't logged in tries to enter the url: http://www.mysite.com/upload/thedocument.doc it won't work. Is there a way to do that? do you have a login script setup already? Quote Link to comment https://forums.phpfreaks.com/topic/152452-how-to-allow-download-of-files-only-if-logged-in/#findComment-800657 Share on other sites More sharing options...
benphp Posted April 3, 2009 Author Share Posted April 3, 2009 "do you have a login script setup already?" Yep - I'm using session vars to hold login info. I'm reading about chmod now and wondering if that might be the answer - but then, I wonder if it works on a non-unix box (windows). Quote Link to comment https://forums.phpfreaks.com/topic/152452-how-to-allow-download-of-files-only-if-logged-in/#findComment-800660 Share on other sites More sharing options...
mrMarcus Posted April 3, 2009 Share Posted April 3, 2009 you can look .htaccess files to secure a folder and its contents. Quote Link to comment https://forums.phpfreaks.com/topic/152452-how-to-allow-download-of-files-only-if-logged-in/#findComment-800670 Share on other sites More sharing options...
Maq Posted April 4, 2009 Share Posted April 4, 2009 but then, I wonder if it works on a non-unix box (windows). Yes chmod works on windows but I don't think that's the way to go because it could spawn security issues. I'm not sure how you have your system setup but you should hide these documents behind the root folder so no one can get to them. Have a page where users must be logged in (check session var) to get these files from. Make sense? Quote Link to comment https://forums.phpfreaks.com/topic/152452-how-to-allow-download-of-files-only-if-logged-in/#findComment-800828 Share on other sites More sharing options...
revraz Posted April 4, 2009 Share Posted April 4, 2009 If you have access to a DB, you can also store them there. Quote Link to comment https://forums.phpfreaks.com/topic/152452-how-to-allow-download-of-files-only-if-logged-in/#findComment-800856 Share on other sites More sharing options...
Fruct0se Posted April 4, 2009 Share Posted April 4, 2009 If you want to hide the path to the file altogether here is a script which will mask the filename and path. In this example this file would be called download.php // Usage: <a href="download.php?file=test.txt&category=test">download</a> // Path to downloadable files (will not be revealed to users so they will never know your file's real address) $hiddenPath = "path/to/your/file"; // VARIABLES if (!empty($_GET['file'])){ $file = str_replace('%20', ' ', $_GET['file']); $category = (!empty($_GET['category'])) ? $_GET['category'] . '/' : ''; } $file_real = $hiddenPath . $file; $ip = $_SERVER['REMOTE_ADDR']; // Check to see if the download script was called if ($_SERVER['QUERY_STRING'] != null){ // If requested file exists if (file_exists($file_real)){ // Get extension of requested file $extension = strtolower(substr(strrchr($file, "."), 1)); // Determine correct MIME type switch($extension){ case "asf": $type = "video/x-ms-asf"; break; case "avi": $type = "video/x-msvideo"; break; case "exe": $type = "application/octet-stream"; break; case "mov": $type = "video/quicktime"; break; case "mp3": $type = "audio/mpeg"; break; case "mpg": $type = "video/mpeg"; break; case "mpeg": $type = "video/mpeg"; break; case "rar": $type = "encoding/x-compress"; break; case "txt": $type = "text/plain"; break; case "wav": $type = "audio/wav"; break; case "wma": $type = "audio/x-ms-wma"; break; case "wmv": $type = "video/x-ms-wmv"; break; case "zip": $type = "application/x-zip-compressed"; break; default: $type = "application/force-download"; break; } // Fix IE bug [0] $header_file = (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) ? preg_replace('/\./', '%2e', $file, substr_count($file, '.') - 1) : $file; // Prepare headers header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: public", false); header("Content-Description: File Transfer"); header("Content-Type: " . $type); header("Accept-Ranges: bytes"); header("Content-Disposition: attachment; filename=\"" . $header_file . "\";"); header("Content-Transfer-Encoding: binary"); header("Content-Length: " . filesize($file_real)); // Send file for download if ($stream = fopen($file_real, 'rb')){ while(!feof($stream) && connection_status() == 0){ //reset time limit for big files set_time_limit(0); print(fread($stream,1024*); flush(); } fclose($stream); } }} }else{ // Requested file does not exist (File not found) echo("Requested file does not exist"); die(); } } Quote Link to comment https://forums.phpfreaks.com/topic/152452-how-to-allow-download-of-files-only-if-logged-in/#findComment-800861 Share on other sites More sharing options...
benphp Posted April 4, 2009 Author Share Posted April 4, 2009 Thanks for the responses. It looks like I have some more work to do! Quote Link to comment https://forums.phpfreaks.com/topic/152452-how-to-allow-download-of-files-only-if-logged-in/#findComment-800951 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.