[SOLVED] Is there a way to stop direct linking to a pdf?

[rondog]

I have a folder full of pdfs. Is there a way to make it so someone cant just type in the path to the pdf?

[cooldude832]

.htaccess or better idea is store the pdf as binary in mysql and then create on demand.

[rondog]

unfortunatly the server I am going to be working on wont have MySQL and I cant use an outside DB. How would I go about doing it with .htaccess?

[tibberous]

You could make a cron script that renames all the pdf's md5(date('G')+'filename').pdf every hour.

 

Make a second folder, keep two copies, pick the folder based on date('G')%2, that way you files are good for 1 hour minimum.

 

Then on your index page, make all the links md5(date('G')+'filename').pdf, with a javascript function that refreshes the page every hour.

 

Or even better, get a javascript md5 function and update the links dynamically.

 

 

[rarebit]

Not that it blocks direct access, but is used as an intermediary (also logs...), just pass the name through as GET['item']... and store in a folder called 'dl/'...

<?php

function file_append($fn, $s)
{
$fp = fopen($fn, "a");	// use to append
$written = 0;
while ($written == 0)	// keep trying until lock is free
{
	if (flock($fp, LOCK_EX))
	{
		fwrite($fp, $s);
		flock($fp, LOCK_UN);
		$written = 1;
	}
}
fclose($fp);

return 0;
}

if(isset($_GET['item']))
{
$log = "log.txt";
$dir = "dl/";
$item = $_GET['item'];

if ( (strcmp($item, "") != 0) && (file_exists($dir.$item)) )
{
	//	LOG
	$rip = $_SERVER['REMOTE_ADDR'];
	$time = $_SERVER['REQUEST_TIME'];
	$method = $_SERVER['REQUEST_METHOD'];
	$link = substr($_SERVER['REQUEST_URI'], 0, 128);
	$agent = substr($_SERVER['HTTP_USER_AGENT'], 0, 128);

	$s = $item." : ".$rip." : ".$time." : ".$method." : ".$link." : ".$agent."\n";

	//$s = "hi\n";
	file_append($dir.$log, $s);

	//	REDIRECT TO FILE
	header('Location: '.$dir.$item);
}
else
{
	print "<html><head><title>DOWNLOAD</title></head><body>REQUEST ERROR<br></body></html>";
}
}
else
{
print "<html><head><title>ERROR</title></head><body>NO REQUEST FOUND!</body></html>";
}

?>

 

Basically it just use's 'header' to redirect!

[sljaxon]

Note: I am assuming you want a PHP script to "read" the PDF to the user.

 

Rarebit has the idea with the intermediary, which is needed, as mentioned later. To prevent direct access, this htaccess code will work:

 

deny from all

 

This should do exactly what you want.

If you have mod_rewrite enabled, you may want to redirect users to the "reading" script instead of blocking them.

If you want to do that, use this htaccess file:

 

RewriteBase /
RewriteRule (.*) read.php?file=$1 [QSA,L]

 

One point - due to the way your script may be coded and the fact you are using PDFs, this code may not work.

 

You cannot simply embed the PDF file in a HTML/PHP script, because that would be loaded client side by the PDF reader. Your script will need to read the PDF and then dynamically create a duplicate as rarebit's code does:

 

Not that it blocks direct access, but is used as an intermediary (also logs...), just pass the name through as GET['item']... and store in a folder called 'dl/'...

<?php

function file_append($fn, $s)
{
$fp = fopen($fn, "a");	// use to append
$written = 0;
while ($written == 0)	// keep trying until lock is free
{
	if (flock($fp, LOCK_EX))
	{
		fwrite($fp, $s);
		flock($fp, LOCK_UN);
		$written = 1;
	}
}
fclose($fp);

return 0;
}

if(isset($_GET['item']))
{
$log = "log.txt";
$dir = "dl/";
$item = $_GET['item'];

if ( (strcmp($item, "") != 0) && (file_exists($dir.$item)) )
{
	//	LOG
	$rip = $_SERVER['REMOTE_ADDR'];
	$time = $_SERVER['REQUEST_TIME'];
	$method = $_SERVER['REQUEST_METHOD'];
	$link = substr($_SERVER['REQUEST_URI'], 0, 128);
	$agent = substr($_SERVER['HTTP_USER_AGENT'], 0, 128);

	$s = $item." : ".$rip." : ".$time." : ".$method." : ".$link." : ".$agent."\n";

	//$s = "hi\n";
	file_append($dir.$log, $s);

	//	REDIRECT TO FILE
	header('Location: '.$dir.$item);
}
else
{
	print "<html><head><title>DOWNLOAD</title></head><body>REQUEST ERROR<br></body></html>";
}
}
else
{
print "<html><head><title>ERROR</title></head><body>NO REQUEST FOUND!</body></html>";
}

?>

 

Basically it just use's 'header' to redirect!

 

I'd be glad to answer any questions. You may also have special requirements, depending on exactly what you want to do with the PDF, such as advertisement insertion.

[Jessica]

I would put the PDFs in a non public folder, and then access them from there in PHP.

[rondog]

I am making a flash app that you have to login to which is already taken care of. The links in flash send to a php file called readpdf.php

<?php
session_start();
if ($_SESSION['approved'] != 'yes') {
header("Location: dlerror.php");
} else {
$filename = $_POST['fname'];
header('Content-type: application/pdf');
header("Content-Disposition: attachment; filename=\"$filename.pdf\"");
readfile("8d46y2g1/$filename.pdf");	
if (!file_exists($filename.pdf)) {
	die("NO FILE HERE");
    }
}
?>

 

As of right now the user has no way of knowing the direct path of the files. I stored them in a folder which is pretty much unguessable. Even if the user was to decompile the SWF file, the action script inside will only have the title of the pdf with no directories or anything. I just want to be sure that if by any chance someone finds the folder name they cant just type a path. Im thinking that a simple .htaccess should work, no? I dont really understand the scripts you guys provided. Im really new to php

[rondog]

ah actually you know what! that htaccess with 'deny from all' worked just fine. If I direct link to it they cant view it. My flash app is still able to read them though. That helped a ton thanks!