stubarny Posted August 20, 2011 Share Posted August 20, 2011 Hello, I have a form for uploading CV files into a CV database. Once the files are uploaded to their directory (e.g. www.jobsboard.com/cvdatabase/) please could someone tell me how to restrict access to users? e.g. once a user logs into their userpanel they should be able to click on a hyperlink to download a CV e.g. (www.jobsboard.com/cvdatabase/CV1.doc) but a user who isn't logged in shouldn't be able to access www.jobsboard.com/cvdatabase/CV1.doc Please could you tell me whether this is possible? Many thanks, Stu Link to comment https://forums.phpfreaks.com/topic/245289-protecting-uploaded-cvs/ Share on other sites More sharing options...
tomfmason Posted August 20, 2011 Share Posted August 20, 2011 why not have the user linked to a script like download.php?file=yourcsv. In download.php you would check to see if they are logged in, check to make sure the csv file requested exists and then simply use headers to force a download <?php header("Content-type: application/csv"); header("Content-Disposition: attachment; filename=file.csv"); header("Pragma: no-cache"); header("Expires: 0"); echo file_get_contents("file.csv"): ?> That code would obviously need some work and was only meant to serve as a ruff example Link to comment https://forums.phpfreaks.com/topic/245289-protecting-uploaded-cvs/#findComment-1259812 Share on other sites More sharing options...
stubarny Posted August 20, 2011 Author Share Posted August 20, 2011 Hi tomfmason, Many thanks, very interesting. If I use file_get_contents would the user be able to see the file directory of the target file? (either in the download window or in the downloaded file properties?) - just thinking of security... Stu Link to comment https://forums.phpfreaks.com/topic/245289-protecting-uploaded-cvs/#findComment-1259820 Share on other sites More sharing options...
tomfmason Posted August 20, 2011 Share Posted August 20, 2011 okay, I got bored and decided to go a head and do this for you download.php <?php function userAuthorized() { //implement your code here for user authorization return true; } $download_dir = "/path/to/download/dir/"; $filename = basename($_GET['file']); $file = $download_dir . $filename . ".csv"; $path = realpath($file); if(($path !== false) && file_exists($file)) { if(userAuthorized()) { header("Content-type: application/csv"); header("Content-Disposition: attachment; filename=$filename.csv"); header("Pragma: no-cache"); header("Expires: 0"); echo file_get_contents($file); } else { header('HTTP/1.0 401 Unauthorized'); echo "You must be logged in to download this file"; } } else { header('HTTP/1.0 401 Unauthorized'); echo "No such file"; } ?> Also, here is a simple rewrite rule that will allow you to do like downloads/yourcsv.csv instead of downloads/download.php?file=yourcsv RewriteEngine on RewriteRule ([^/\.]+)/?.csv$ download.php?file=$1 [L] Link to comment https://forums.phpfreaks.com/topic/245289-protecting-uploaded-cvs/#findComment-1259841 Share on other sites More sharing options...
stubarny Posted August 20, 2011 Author Share Posted August 20, 2011 Blimey, Thanks tomfmason! :-) Link to comment https://forums.phpfreaks.com/topic/245289-protecting-uploaded-cvs/#findComment-1259881 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.