stubarny Posted August 20, 2011 Share Posted August 20, 2011 Hello, I have a form for uploading CV files into a CV database. Once the files are uploaded to their directory (e.g. www.jobsboard.com/cvdatabase/) please could someone tell me how to restrict access to users? e.g. once a user logs into their userpanel they should be able to click on a hyperlink to download a CV e.g. (www.jobsboard.com/cvdatabase/CV1.doc) but a user who isn't logged in shouldn't be able to access www.jobsboard.com/cvdatabase/CV1.doc Please could you tell me whether this is possible? Many thanks, Stu Quote Link to comment https://forums.phpfreaks.com/topic/245289-protecting-uploaded-cvs/ Share on other sites More sharing options...
tomfmason Posted August 20, 2011 Share Posted August 20, 2011 why not have the user linked to a script like download.php?file=yourcsv. In download.php you would check to see if they are logged in, check to make sure the csv file requested exists and then simply use headers to force a download <?php header("Content-type: application/csv"); header("Content-Disposition: attachment; filename=file.csv"); header("Pragma: no-cache"); header("Expires: 0"); echo file_get_contents("file.csv"): ?> That code would obviously need some work and was only meant to serve as a ruff example Quote Link to comment https://forums.phpfreaks.com/topic/245289-protecting-uploaded-cvs/#findComment-1259812 Share on other sites More sharing options...
stubarny Posted August 20, 2011 Author Share Posted August 20, 2011 Hi tomfmason, Many thanks, very interesting. If I use file_get_contents would the user be able to see the file directory of the target file? (either in the download window or in the downloaded file properties?) - just thinking of security... Stu Quote Link to comment https://forums.phpfreaks.com/topic/245289-protecting-uploaded-cvs/#findComment-1259820 Share on other sites More sharing options...
tomfmason Posted August 20, 2011 Share Posted August 20, 2011 okay, I got bored and decided to go a head and do this for you download.php <?php function userAuthorized() { //implement your code here for user authorization return true; } $download_dir = "/path/to/download/dir/"; $filename = basename($_GET['file']); $file = $download_dir . $filename . ".csv"; $path = realpath($file); if(($path !== false) && file_exists($file)) { if(userAuthorized()) { header("Content-type: application/csv"); header("Content-Disposition: attachment; filename=$filename.csv"); header("Pragma: no-cache"); header("Expires: 0"); echo file_get_contents($file); } else { header('HTTP/1.0 401 Unauthorized'); echo "You must be logged in to download this file"; } } else { header('HTTP/1.0 401 Unauthorized'); echo "No such file"; } ?> Also, here is a simple rewrite rule that will allow you to do like downloads/yourcsv.csv instead of downloads/download.php?file=yourcsv RewriteEngine on RewriteRule ([^/\.]+)/?.csv$ download.php?file=$1 [L] Quote Link to comment https://forums.phpfreaks.com/topic/245289-protecting-uploaded-cvs/#findComment-1259841 Share on other sites More sharing options...
stubarny Posted August 20, 2011 Author Share Posted August 20, 2011 Blimey, Thanks tomfmason! :-) Quote Link to comment https://forums.phpfreaks.com/topic/245289-protecting-uploaded-cvs/#findComment-1259881 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.