Jump to content

Secure a Dir


tobeyt23

Recommended Posts

Put the documents in a directory that is not publicly available and use PHP to deliver the documents to the user rather than providing them a direct link. What type of documents are they: pdf, doc, txt, ??? And, how do you maintain the document list: in a database, do you read the directory, hard-coded list, ???

Link to comment
Share on other sites

Here is some sample code to get you pointed in the right direction. As I stated before, put the files in a directory that is not publicly available. I will assume that folder is one level up from the current working directory and it is called "secured_docs":

 

Page to display the links to the documents"

if($logged_in)
{
    //Query list of documents
    $query = "SELECT id, name, FROM documents ORDER BY name";
    $result = mysql_query($query);

    //Display links to download the documents
    echo "Here are the secured documents:<br />\n";
    echo "<ul>\n";
    while($doc = mysql_fetch_assoc($result))
    {
        echo "<li><a href=\"download_doc.php?id={$doc['id']}\" target=\"_blank\">{$doc['name']}</a><br /></li>\n";
    }
    echo "</ul>\n";
}

 

Page to download the documents from secured location (download_doc.php)

if($logged_in && isset($_GET['id']))
{
    //Query for selected document
    $docID = (int) $_GET['id'];
    $query = "SELECT name FROM documents";
    $result = mysql_query($query);
    
    //if(mysql_num_rows($result)!==0)
    {
        $document = mysql_fetch_assoc($result);
        //Include function to download files
        include('downloadFunction.php');
        //Download the document
        output_file($file, true);
    }
}

 

Here is the function to download the files. I had this lying around which I picked up somewhere and have made changes to (downloadFunction.php)

function output_file($file, $download=false; $name=false, $mime_type=false) {
   	/*
   	This function takes a path to a file to output ($file), 
   	the filename that the browser will see ($name) and 
   	   	the MIME type of the file ($mime_type, optional).

   	If you want to do something on download abort/finish,
   	register_shutdown_function('function_name');
   	*/
   	//echo "<br><br>file: $file <br>name: $name <br> mime: $mime_type<br><br>";
   	//if(!is_readable($file)) die('File not found or inaccessible!');

   	/* Figure out the MIME type (if not specified) */
   	$mime_types=array(
   	   	'pdf'  => 'application/pdf',
   	   	'txt'  => 'text/plain',
   	   	'html' => 'text/html',
   	   	'htm'  => 'text/html',
   	   	'exe'  => 'application/octet-stream',
   	   	'zip'  => 'application/zip',
   	   	'doc'  => 'application/msword',
   	   	'xls'  => 'application/vnd.ms-excel',
   	   	'ppt'  => 'application/vnd.ms-powerpoint',
   	   	'gif'  => 'image/gif',
   	   	'png'  => 'image/png',
   	   	'jpeg' => 'image/jpg',
   	   	'jpg'  => 'image/jpg',
   	   	'php'  => 'text/plain',
   	   	'rtf'  => 'application/msword'
   	);

$size = filesize($file);
$output_name = ($name) ? rawurldecode($name) : rawurldecode(basename($file));
    $mime_type = (isset($mime_types[$file_ext])) ? $mime_types[$file_ext] : 'application/octet-stream';

    @ob_end_clean(); //turn off output buffering to decrease cpu usage

    // required for IE, otherwise Content-Disposition may be ignored
    if(ini_get("zlib.output_compression")) { ini_set("zlib.output_compression", "Off"); }

    header("Content-Type: {$mime_type}");
    if ($download)
    {
        //Force download
        header("Content-Disposition: attachment; filename='$output_name'");
    }
    header('Content-Transfer-Encoding: binary');
    header('Accept-Ranges: bytes');

    /* These three lines basically make the download non-cacheable */
    header('Cache-control: private');
    header('Pragma: private');
    header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');

    // multipart-download and download resuming support
    if(isset($_SERVER['HTTP_RANGE']))
    {
   	   	list($a, $range) = explode('=', $_SERVER['HTTP_RANGE'], 2);
   	   	list($range) = explode(',', $range, 2);
   	   	list($range, $range_end) = explode('-', $range);
   	   	$range = intval($range);
        $range_end = (!$range_end) ? ($size-1) : intval($range_end);

       	$new_length = ($range_end-$range+1);
   	    header("HTTP/1.1 206 Partial Content");
   	    header("Content-Length: $new_length");
   	    header("Content-Range: bytes $range-$range_end/$size");

   	}
   	else
   	{
   	   	$new_length = $size;
   	   	header("Content-Length: $size");
   	}

   	/* output the file itself */
   	$chunksize = 1*(1024*1024); //you may want to change this
   	$bytes_send = 0;
   	if ($file = fopen($file, 'r'))
   	{
   	   	if(isset($_SERVER['HTTP_RANGE'])) { fseek($file, $range); }

   	   	while(!feof($file) && (!connection_aborted()) && ($bytes_send<$new_length) )
   	   	{
   	   	   	$buffer = fread($file, $chunksize);
   	   	   	print($buffer); //echo($buffer); // is also possible
   	   	   	flush();
   	   	   	$bytes_send += strlen($buffer);
   	   	}
   	   	fclose($file);
        die();
   	}

    //Cold not open the file
    die('Error - can not open file.');
}

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.