Guernica Posted January 29, 2008 Share Posted January 29, 2008 I wanna know if I can protect a folder with php (mysql tables) and all the files in it. I only want these files being access to members who fall under a certain (usergroupid) in the members table in my mysql database. Can this be done? If so can you please give a little info of how? Thank you very much!! Quote Link to comment Share on other sites More sharing options...
revraz Posted January 29, 2008 Share Posted January 29, 2008 What do you mean by "folder"? Quote Link to comment Share on other sites More sharing options...
Stooney Posted January 29, 2008 Share Posted January 29, 2008 You can store the files above the webroot, then use headers to feed them the file. That way there's no possible direct link to the files, they must have the correct info to obtain it. Quote Link to comment Share on other sites More sharing options...
slpctrl Posted January 29, 2008 Share Posted January 29, 2008 http://www.apacheweek.com/features/userauth This will help ^^ You need to use .htaccess Quote Link to comment Share on other sites More sharing options...
Guernica Posted January 29, 2008 Author Share Posted January 29, 2008 OOoooo, so it wont show up in the address bar? Like: <?php if($access == 1) { header("Location: fileurl"); } like that? However, what if someone was given the direct link? Like: http://www.site.com/file.rar if they were given that, there would be know way to verfiy access? Thanks. Quote Link to comment Share on other sites More sharing options...
Guernica Posted January 29, 2008 Author Share Posted January 29, 2008 http://www.apacheweek.com/features/userauth This will help ^^ You need to use .htaccess Yes but I dont think its easy to use .htaccess/.htpasswd with mysql tables checking. =/ Thanks! Quote Link to comment Share on other sites More sharing options...
slpctrl Posted January 29, 2008 Share Posted January 29, 2008 http://www.apacheweek.com/features/userauth This will help ^^ You need to use .htaccess Yes but I dont think its easy to use .htaccess/.htpasswd with mysql tables checking. =/ Thanks! You could just take the data from the mysql tables (I would imagine it would be users right?) And write those users to a .htaccess. Anything I can possibly think of to be done in PHP could be pretty easily exploited. I know your code above wouldn't be very difficult at all to exploit. I donno though, I can't wrap my head around what you're really trying to do. Quote Link to comment Share on other sites More sharing options...
Guernica Posted January 29, 2008 Author Share Posted January 29, 2008 Pulling the users' usernames/passwords to a .htaccess would be nice if I could, but how can u do that? In simplest terms, I am trying to give protection to a specified directory with the usernames and passwords found in a table in a mysql database. =/ Thanks!! Quote Link to comment Share on other sites More sharing options...
Stooney Posted January 29, 2008 Share Posted January 29, 2008 Here some code I work with that does what you want. if the session is set properly, it will give the file to the user. There is no way to link directly to the file, they must go through this script therefore making it secure. <?php session_start(); if(!isset($_SESSION['userid']) || $_SESSION['level']==2){ echo 'Access Denied!'; exit(); } include("../dtf_dbc.php"); $fileid=mysql_real_escape_string($_GET['fileid']); $get=mysql_query("SELECT fname, path FROM dtf_files WHERE id='$fileid'"); if(mysql_num_rows($get)==1){ $row=mysql_fetch_array($get); $basefilename=$row[0]; $filename=$row[1].$row[0]; if(false !== ($fh = fopen($filename, 'r'))){ header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: private", false); $ext=strtolower(substr($basefilename,strlen($basefilename)-3, 3)); if ($ext == "mp3" ) { header("Content-Type: audio/x-mp3"); } else if ($ext == "txt") { header("Content-Type: text/plain"); } else if ($ext == "jpg") { header("Content-Type: image/jpeg"); } else if ($ext == "gif") { header("Content-Type: image/gif"); } else if ($ext == "png") { header("Content-Type: image/png"); } else if ($ext == "swf") { header("Content-Type: application/x-shockwave-flash"); } else if ($ext == "flv") { header("Content-Type: video/flv"); } else { header("Content-type: application/octet-stream"); } header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" ); header("Content-Transfer-Encoding: binary"); header("Content-Length: ".filesize($filename)); readfile("$filename"); fclose($filename); } else{ echo '<div class="error">Failed opening file!</div>'; } } else{ echo '<div class="error">Failed retrieving file information from database!</div>'; } ?> Quote Link to comment Share on other sites More sharing options...
Guernica Posted January 29, 2008 Author Share Posted January 29, 2008 Thanks a lot! I just want to check, does dtf_dbc.php do anything? Cause that's called in... Quote Link to comment Share on other sites More sharing options...
Stooney Posted January 29, 2008 Share Posted January 29, 2008 That file makes my database connection. You can remove it safely as long as you have a way of connecting to your database. Quote Link to comment Share on other sites More sharing options...
Guernica Posted January 29, 2008 Author Share Posted January 29, 2008 Thanks, really appreciate it. However: $ext = strtolower(substr($basefilename,strlen($basefilename)-3, 3)); header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" ); header("Content-Transfer-Encoding: binary"); header("Content-Length: ".filesize($filename)); Where am I getting the variables, $basefilename and $filename? Thanks! Quote Link to comment Share on other sites More sharing options...
PHP Monkeh Posted January 29, 2008 Share Posted January 29, 2008 $row=mysql_fetch_array($get); $basefilename=$row[0]; $filename=$row[1].$row[0]; Right there From a table although I'm sure you could modify this to how you want it. Quote Link to comment Share on other sites More sharing options...
Guernica Posted January 29, 2008 Author Share Posted January 29, 2008 Yes but the files arent in a mysql table, the users are. The files are just stored in the directort 'downloads'. =/ I made it look like this so far: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Uber Access</title> </head> <body> <?php session_start(); include('include/config.php'); if(!isset($_COOKIE['member_id']) || $_COOKIE['member_id'] == 0){ echo 'Access Denied!'; exit(); } else { $sql = mysql_query("SELECT * FROM ibf_members WHERE id = $_COOKIE[member_id]"); $row = mysql_fetch_assoc($sql); if($row > 1) { $loggedin = 1; $usergroup .= md5($row['mgroup']); if($usergroup != md5(7) || md5(4)) { header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: private", false); $ext = strtolower(substr($basefilename,strlen($basefilename)-3, 3)); if ($ext == "mp3") { header("Content-Type: audio/x-mp3"); } else if ($ext == "txt") { header("Content-Type: text/plain"); } else if ($ext == "jpg") { header("Content-Type: image/jpeg"); } else if ($ext == "gif") { header("Content-Type: image/gif"); } else if ($ext == "png") { header("Content-Type: image/png"); } else if ($ext == "swf") { header("Content-Type: application/x-shockwave-flash"); } else if ($ext == "flv") { header("Content-Type: video/flv"); } else { header("Content-type: application/octet-stream"); } header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" ); header("Content-Transfer-Encoding: binary"); header("Content-Length: ".filesize($filename)); } } } else { die("<div class='error'>You do not have permission to view this file!</div>"); } ?> </body> </html> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.