sirhawkeye Posted May 11, 2014 Share Posted May 11, 2014 So I need to make a customized CMS-type site (unfortunately, for someone) and I wanted to know if there is a way that I can prevent direct file access to, say, ZIP, JPG, DOC, etc, type files but have a PHP script be able to "get" them (probably by using a MySQL database with the filenames and a unique numerical ID to protect the location of the files). I'm aware of the HotLink protection offered by most sites, but basically I want a way that so that in a page, a link could be put in line this (to retrieve a file): <a href="getfile.php?fileid=000000">Click here to get the file</a> And whatever file links up with file ID 000000 would be placed somewhere on the site, in a folder such as: /cms/content/documents/test1.doc Any ideas on how to do this? Basically, I want to prevent hotlinking and also prevent people from seeing where the content is stored (to prevent direct linking from other sites). Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted May 11, 2014 Share Posted May 11, 2014 If you're storing the file location in the database then all you need to do is query the database to return the filepath that matches the fileid, example code <?php $mysqli = new mysqli('localhost', 'user', 'pass', 'database'); if(isset($_GET['fileid']) && ctype_digit($_GET['fileid'])) { // get filepath from database $stmt = $mysqli->prepare('SELECT filepath FROM files_table WHERE file_id = ?'); $stmt->bind_param('i', $_GET['fileid']); $stmt->execute(); $stmt->bind_result($filepath); $stmt->fetch(); // output correct file content/mime type $finfo = new finfo(FILEINFO_MIME); header('Content-Type: ' . $finfo->file($filepath) ); // .. maybe send headers to prevent caching too? // output contents of the file readfile($filepath); exit; } // send 404 error invalid request header("HTTP/1.0 404 Not Found"); exit; However this still wont prevent hotlinking as they can just link directly to getfile.php?fileid=xxxxx Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted May 11, 2014 Share Posted May 11, 2014 So, lets say your files are in a directory named foo, then in your .htaccess file: RewriteEngine On RewriteBase / RewriteRule ^(foo) - [F,L] Requests for files in foo will output a 403 error. PHP scripts will still have access. Quote Link to comment Share on other sites More sharing options...
sirhawkeye Posted May 12, 2014 Author Share Posted May 12, 2014 Thanks. I think between these two responses, I should get what I'm looking for. Yes, the user will have the filename itself if they download the file BUT they won't have the full path to the file unles they hack the database I suppose to get the path to the files. All I need is HTML and PHP files to be able to execute, nothing else. Everything else should be "locked down" from direct access. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.