php-general Digest 16 Aug 2010 03:57:31 -0000 Issue 6895

Topics (messages 307482 through 307485):

Re: Need to check pdf for xss
        307482 by: Ashley Sheridan

login to protected directory by php
        307483 by: Ali Asghar Toraby Parizy
        307484 by: Ashley Sheridan
        307485 by: kranthi

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscr...@lists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscr...@lists.php.net

To post to the list, e-mail:
        php-gene...@lists.php.net


----------------------------------------------------------------------
--- Begin Message ---
On Sun, 2010-08-15 at 11:51 +0200, Sebastian wrote:

> OK THX to everyone. I will check the images with imagick and let the
> pdfs in adobes responsibility. One worry less.


Also, if you're really worried, try suggesting people use an alternative
pdf reader. There are quite a few to choose from, that all do well at
displaying a standard pdf. The areas they tend to lack are embedded
objects like scripts, video, etc, but those don't really (imho) belong
in a pdf anyway.

Thanks,
Ash
http://www.ashleysheridan.co.uk



--- End Message ---
--- Begin Message ---
all files (web pages, pictures, and exe files) and folders in a directory
should be protected against anonymous users.
I create an application with php and mysql for registered users. when a user
registers it's information will be saved in database and its username and
password will be added to .htpass file. so registered users can reach
protected area.
But browser prompts login dialog, when users want to access this folder. How
can I run login process with php.
Thanks


On Sat, Aug 14, 2010 at 4:23 PM, chris h <chris...@gmail.com> wrote:

> it sounds as if apache - or whatever your http server is - is not aware of
> your php script.  All apache knows is that someone is trying to access a
> directory or file that is protected, it does not know that it should send
> that request to the php script for a login.
>
> What are the protected resources that you want a login for?
>
>
> On Sat, Aug 14, 2010 at 1:52 AM, Ali Asghar Toraby Parizy <
> aliasghar.tor...@gmail.com> wrote:
>
>> Hi
>> The php script is in another folder. I set PHP_AUTH_USER and 'PHP_AUTH_PW
>> in login script then try to open the file in the protected directory. the
>> php file is not in the protected realm.
>>
>>
>> On Sat, Aug 14, 2010 at 3:26 AM, chris h <chris...@gmail.com> wrote:
>>
>>> Based off what your saying my guess is that the request is not hitting
>>> your php script.
>>>
>>> Is the php script in the protected directory? If so what is it's file
>>> name and what url are you hitting for the test?
>>>
>>>
>>> Chris.
>>>
>>>
>>> On Fri, Aug 13, 2010 at 6:21 PM, Ali Asghar Toraby Parizy <
>>> aliasghar.tor...@gmail.com> wrote:
>>>
>>>> Hi. I have a protected directory in my host. I have configured .htaccess
>>>> successfully and it works prefect.
>>>> Now I'm looking for a solution to login and logout by a php script.
>>>> In my site I have a login page. In that page I set 'PHP_AUTH_USER' and '
>>>> PHP_AUTH_PW'. but when I try to open protected directory, user
>>>> authentication dialog appears.
>>>> How can I do this? What is my error?
>>>>
>>>> --
>>>> Ali Asghar Torabi
>>>>
>>>
>>>
>>
>>
>> --
>> Ali Asghar Torabi
>>
>
>


-- 
Ali Asghar Torabi



-- 
Ali Asghar Torabi

--- End Message ---
--- Begin Message ---
On Sun, 2010-08-15 at 22:15 +0430, Ali Asghar Toraby Parizy wrote:

> all files (web pages, pictures, and exe files) and folders in a directory
> should be protected against anonymous users.
> I create an application with php and mysql for registered users. when a user
> registers it's information will be saved in database and its username and
> password will be added to .htpass file. so registered users can reach
> protected area.
> But browser prompts login dialog, when users want to access this folder. How
> can I run login process with php.
> Thanks
> 
> 
> On Sat, Aug 14, 2010 at 4:23 PM, chris h <chris...@gmail.com> wrote:
> 
> > it sounds as if apache - or whatever your http server is - is not aware of
> > your php script.  All apache knows is that someone is trying to access a
> > directory or file that is protected, it does not know that it should send
> > that request to the php script for a login.
> >
> > What are the protected resources that you want a login for?
> >
> >
> > On Sat, Aug 14, 2010 at 1:52 AM, Ali Asghar Toraby Parizy <
> > aliasghar.tor...@gmail.com> wrote:
> >
> >> Hi
> >> The php script is in another folder. I set PHP_AUTH_USER and 'PHP_AUTH_PW
> >> in login script then try to open the file in the protected directory. the
> >> php file is not in the protected realm.
> >>
> >>
> >> On Sat, Aug 14, 2010 at 3:26 AM, chris h <chris...@gmail.com> wrote:
> >>
> >>> Based off what your saying my guess is that the request is not hitting
> >>> your php script.
> >>>
> >>> Is the php script in the protected directory? If so what is it's file
> >>> name and what url are you hitting for the test?
> >>>
> >>>
> >>> Chris.
> >>>
> >>>
> >>> On Fri, Aug 13, 2010 at 6:21 PM, Ali Asghar Toraby Parizy <
> >>> aliasghar.tor...@gmail.com> wrote:
> >>>
> >>>> Hi. I have a protected directory in my host. I have configured .htaccess
> >>>> successfully and it works prefect.
> >>>> Now I'm looking for a solution to login and logout by a php script.
> >>>> In my site I have a login page. In that page I set 'PHP_AUTH_USER' and '
> >>>> PHP_AUTH_PW'. but when I try to open protected directory, user
> >>>> authentication dialog appears.
> >>>> How can I do this? What is my error?
> >>>>
> >>>> --
> >>>> Ali Asghar Torabi
> >>>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Ali Asghar Torabi
> >>
> >
> >
> 
> 
> -- 
> Ali Asghar Torabi
> 
> 
> 


The two login processes are separate from each other. The .htaccess
method is handled by Apache, completely apart from PHP. I believe it is
possible, but is unreliable because of the way different browser/server
combinations behave.

Your best bet is to store these files outside of web route, and access
them with a URL like this:

file.php?id=123456

your web route might be something like /var/www/html/yoursite
(where /var/www/html is the web root)
your documents and secure files could be at /var/www/files/yoursite

In your DB, the file id 123456 maps to a specific file on the hosting.
This file isn't accessible from the web normally, so PHP will have to
use something like fpassthru() to open dump the contents to the browser
(obviously sending the correct header() mime type, etc). The advantage
to this is you can use your PHP login system, and check each file
download attempt against the session to ensure they are a valid user who
should be able to access this file. Also, the obfuscation of the
filename means that someone is less likely to guess at a filename. The
id itself can be anything from a hash of the filename to an auto
increment id in the DB.

Thanks,
Ash
http://www.ashleysheridan.co.uk



--- End Message ---
--- Begin Message ---
i would configure apache to let php interpreter handle all kinds of
extensions ( http://httpd.apache.org/docs/2.0/mod/mod_mime.html#addhandler
)

even then u'll have go through all the steps pointed out by Ash.
the only advantage of this method is more user friendly URL

--- End Message ---

Reply via email to