Inigo Posted May 5, 2010 Share Posted May 5, 2010 Hi Guys, I'm new here, and this is my first post so apologies if there's a more relevant place where I should be posting this, if so please let me know. Basically I'm building a site for someone, a lecturer, who wants to be able to upload and download documents, mostly MS Word and PDF files, at her leisure. They are sensitive files, and so must be secured in a safe place. I want to build a log in/admin area where she can do this. Obviously just uploading the files to a normal directory is useless because anyone could go to that directory and see the files. I'd like to put a htaccess / htpasswd file in the directory to secure it, so my question is this; Is there a way to get php to interact with htaccess? to send the username and password in a php request to retrieve files from the directory and force a download with header("Content-Disposition: attachment; filename= ... (or whatever) ? All my googling efforts on this subject seem only to bring up stuff about the flock() command. I see there is an expression engine plugin to do this sort of thing but quite frankly I hate EE. I'm guess I'm a control freak, I'd much rather do it myself and know exactly what's going on. Thanks in advance! Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted May 5, 2010 Share Posted May 5, 2010 Can't you just store them in a database? It would be much safer than opening up web access to controll/interact with your htaccess file. Quote Link to comment Share on other sites More sharing options...
Inigo Posted May 5, 2010 Author Share Posted May 5, 2010 Thanks for the reply ! Not really, one of the pdf files is almost 4mb. But I've discovered that you can move files in and out of htaccess protected directories using php commands without even needing to supply the username and password! duh! OK sorry, I'm new to coding, so I guess htaccess is only to stop browsers ie. people viewing files then..? I had assumed that any sort of access to the directory would be blocked. Thanks anyway. Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted May 5, 2010 Share Posted May 5, 2010 Ahhh...no, not the case. as php is server side it defaults to running with the same permissions that your httpd account has on a given directory. I thought that you weere looking to have php modify the htaccess file at run time to allow said user to upload and then re-apply viewing restrictions afterwords. p.s. Retreving images from a database is just as efficient than using flat files. Just so you know Quote Link to comment Share on other sites More sharing options...
Inigo Posted May 5, 2010 Author Share Posted May 5, 2010 'I thought that you weere looking to have php modify the htaccess file at run time to allow said user to upload and then re-apply viewing restrictions afterwords.' In this case, no. But that's an interesting one, would that be possible using fopen fwrite? Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted May 5, 2010 Share Posted May 5, 2010 Assuming the permissions are right on the htaccess file, then theory would dictate yes. However you are talking about a major security vulnrability if you set the httpd account with that permission level on your htaccess file. Quote Link to comment Share on other sites More sharing options...
Inigo Posted May 5, 2010 Author Share Posted May 5, 2010 Ah, I see, yes. Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.