on 22/08/02 2:15 AM, Roger Lewis ([EMAIL PROTECTED]) wrote:

> Well, I originally searched for "protect file downloads".  I also searched
> "protect individual files", "protect files", "authenticate files", and on
> and on.  There are thousands of messages, but very few with relevant titles
> or content.

I was giving you exact subject lines from threads, not suggested search
terms.  And I also advised that they were VERY recent threads.

> One point to consider: I have no control over the files
> themselves.  They are being uploaded to the document directories by end
> users, so I do not know the file names.

That's fine.  There's plenty of code for file uploading, including the PHP
manual which has a full example.  when you move_uploaded_file(), you need to
move it to the target directory of "restricted download files".

> What I am trying to do is prevent
> someone who knows the path to the file from being able to gain access to it
> without authorization.

I understand what you're trying to achieve, and it IS asked on here weekly.

Sign, again, here's the components you need:

1. an authorisation/session/user system of some form, based on PHP... in
other words, I login via a PHP script, and then I walk around your site as a
validated user.

2. a file storage method which enables you to store files in your disc
hierarchy, but does not allow the files to be DIRECTLY served via HTTP.

the two methods for this are:
a) store your files ABOVE your web document root

b) store your files within (below) your document root, and prevent them from
being served by the use of a htaccess file.

for this, place a file named .htaccess in the directory you want to protect
(eg mydocroot/mp3/) with something like this in it:

<Files ~ "\.inc$">
    Order Allow,Deny
    Deny from all

the above code prevents all *.inc files from being served via HTTP.
Changing "\.inc$" to "\.mp3$" would refuse serving of all MP3 files.

I'm NOT an apache geek at all, but my guess is that

<Files ~ "*">
    Order Allow,Deny
    Deny from all

Will refuse all files within the dir you place the .htaccess file.

3. you need a script which checks for a validated user, offers a range of
files that can be downloaded, then when you click on one, check your a valid
users, sets the correct mime-type, and parses the file through the php
script to your browser.

All of this is available in the Zend article I posted:
> http://www.zend.com/zend/trick/tricks-august-2001.php

So, now you should have everything you need.

Justin French

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to