the "proper way" i know of is not the easiest to implement..;

1) create a php script that accepts enough parameters to get at your data.
eg: /products/view.php?dataNr=1&itemNr=1
2) let that script compare the current user (visitor who's logged in)
to authentication data that tells which it if the user can access the
data requested. if it fails, you can route the user to a std page or
to a custom page (store in auth-data under "onFail")
3) use apache's RewriteRule in /products/.htaccess to point virtual
urls  to the view script; /products/data1/item_1/data.txt =
/products/view.php?dataNr=1&itemNr=1&file=data.txt (or something like

the main problem here is how to properly store authentication data.
how far to go depends on your (future) requirements.

for my cms i went all the way and copied the unix filesystem
permission architecture (incl the concept of users in groups) to work
from mysql on an object-cloud (mapped to any "path(s)" elsewhere).

but you can just as easilly just map userIDs to array records
containing the keys that view.php works on. sorta like:
global $permissions;
$permissions = array (
  100 => array(
    array (
     dataNr => 1,
     itemNr => 1,
     fileID => 'data.txt',
     mayRead => true,
     mayWrite => false
    (...other objects user 100 has permissions for...)
  userID => permissionsList

you could use username instead of userid even, but i recommend against
that if you're going to store user-definition records in a db, of

On Fri, Feb 19, 2010 at 7:19 PM, Michael Stroh <> wrote:
> I have a site I'm working on with some data that I want to be readable by 
> anyone, but some files that I want to keep hidden from outside users. Here is 
> an example of my file structure.
> /products/data1/item_1/data.txt
> /products/data2/item_2/data.txt
> I would like everything in data1 to be available by anyone who visits the 
> site, but I want to keep items in the data2 folder to only be accessible 
> through certain web page which I hope to eventually require logins. Some of 
> these items I'd like to not only display but also allow people to download.
> My main concern is that I don't want people to be able to guess the names of 
> the files and then be able to access the information on them. Every 'item' 
> has an entry in a MySQL database which holds some information. I was thinking 
> I could have randomly generated folder names to take the place of the things 
> like 'item_2' such as
> /products/data2/kl23j42i/data.txt
> and then link the folder name through a database entry. But I'm not sure if 
> there are more elegant or easier ways to deal with this. Plus someone could 
> still just try randomly querying the site until they get a match. I'd first 
> like to just create a web page where you can go to access the hidden files 
> but would later like to add more control for other users using logins and 
> passwords.
> Most of my files are just text files and images. Any suggestions?
> Thanks in advance!
> Michael
> --
> PHP General Mailing List (
> To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to