a_bains Posted May 29, 2009 Share Posted May 29, 2009 Hello, I am new to Curl but I just have a simple question. The below script logs into a website and then downloads a PDF from the downloads folder. I have no problem building a login script and checking authentication on each php page but the downloads folder is different and could contain PDF files. I am wondering why I couldn't just download a PDF straight away without logging in. I want to know how I would go about protecting files like that. I have heard about .htaccess but I am unsure if that is what I should use. For my business I would like to give only my customers access to a file on my server requiring the same authentication as the login.php page (which would verify against a mysql database). I intend for them to use a script like below, but I am unsure of how to protect the downloads folder. Thanks! <?php // INIT CURL $ch = curl_init(); // SET URL FOR THE POST FORM LOGIN curl_setopt($ch, CURLOPT_URL, 'http://www.external-site.com/Members/Login.php'); // ENABLE HTTP POST curl_setopt ($ch, CURLOPT_POST, 1); // SET POST PARAMETERS : FORM VALUES FOR EACH FIELD curl_setopt ($ch, CURLOPT_POSTFIELDS, 'fieldname1=fieldvalue1&fieldname2=fieldvalue2'); // IMITATE CLASSIC BROWSER'S BEHAVIOUR : HANDLE COOKIES curl_setopt ($ch, CURLOPT_COOKIEJAR, 'cookie.txt'); # Setting CURLOPT_RETURNTRANSFER variable to 1 will force cURL # not to print out the results of its query. # Instead, it will return the results as a string return value # from curl_exec() instead of the usual true/false. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); // EXECUTE 1st REQUEST (FORM LOGIN) $store = curl_exec ($ch); // SET FILE TO DOWNLOAD curl_setopt($ch, CURLOPT_URL, 'http://www.external-site.com/Members/Downloads/AnnualReport.pdf'); // EXECUTE 2nd REQUEST (FILE DOWNLOAD) $content = curl_exec ($ch); // CLOSE CURL curl_close ($ch); ?> Quote Link to comment https://forums.phpfreaks.com/topic/160102-how-are-downloads-protected/ Share on other sites More sharing options...
JonnoTheDev Posted May 29, 2009 Share Posted May 29, 2009 Of course you could download direct them if you have the url and path. The website login will not protect anything i.e. http://www.xyz.com/downloads/abc.pdf An .htaccess file with htpasswd will just place a username password prompt to access the folder. You would be forever adding new passwords to the file so this is not a solution. The easiest and most obvious method is to simply move the downloads folder outside of the website document root. This means that they will not be accessible via any url. You would grab the files using your website code (php) and use headers to give the user a download prompt. See: http://www.phpfreaks.com/forums/index.php/topic,252090.msg1183868.html#msg1183868 Quote Link to comment https://forums.phpfreaks.com/topic/160102-how-are-downloads-protected/#findComment-844789 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.