[PHP-DB] .htaccess and db authentication
I was wondering about people's thoughts on file security through php using database authentication. Take the following example: I have a folder (in webroot) called /videos/ which contains a heap of files like so: video_1_14-06-2002.mpg video_2_15-06-2002.mpg video_3_16-06-2002.mpg video_4_17-06-2002.mpg Now, in a database I have table with a heap of users, with some sort of security identifier which allows them to access only the files they are given access to. Now, doing this in PHP is no problem, but I want to be able to stop them from 'predicting' what the next filename would be and just typing that in. I thought about using .htaccess, where if they try to access one of the files, it sends it off to a php page which authenticates and displays a list of files they are allowed to view, although I would like it if they had the opportunity to type in the url of the file if they are actually authorized to do so. I would prefer not to keep a file listing of allowed usernames and passwords using .htaccess, as this information could potentially be updated frequently with a large amount of users (or would this not be a problem). Has anyone implemented this type of system before? are there any good resources people know of for this type of thing? Thanks, Adam. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] .htaccess and db authentication
How about using PHP as a pipe to funnel the MPG files through: ? // Place your security logic here and exit if // auth is not successful // $filename is the path of the file // to server header (Content Type:video/mpeg); readfile ($filename); ? This way you can place your MPG files completely outside the server root and your users will have to go through your scripts in order to even get to them. Even better, they won't be able to bookmark them because even if they do they'll still have to go through your script (you could even add a random token to the URL so that they can't bookmark the files at all.). Marco On Mon, 2002-10-14 at 08:58, Adam Royle wrote: I was wondering about people's thoughts on file security through php using database authentication. Take the following example: I have a folder (in webroot) called /videos/ which contains a heap of files like so: video_1_14-06-2002.mpg video_2_15-06-2002.mpg video_3_16-06-2002.mpg video_4_17-06-2002.mpg Now, in a database I have table with a heap of users, with some sort of security identifier which allows them to access only the files they are given access to. Now, doing this in PHP is no problem, but I want to be able to stop them from 'predicting' what the next filename would be and just typing that in. I thought about using .htaccess, where if they try to access one of the files, it sends it off to a php page which authenticates and displays a list of files they are allowed to view, although I would like it if they had the opportunity to type in the url of the file if they are actually authorized to do so. I would prefer not to keep a file listing of allowed usernames and passwords using .htaccess, as this information could potentially be updated frequently with a large amount of users (or would this not be a problem). Has anyone implemented this type of system before? are there any good resources people know of for this type of thing? Thanks, Adam. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] .htaccess and db authentication
Store the files outside of your web root or in an .htaccess protected directory. You don't have to control an .htaccess password list, just let PHP handle the sending of the file. Validate your user and whether they should be looking at the file they requested, then use header() to send the appropriate header for the file and use readfile() to send the data. ---John Holmes... -Original Message- From: Adam Royle [mailto:[EMAIL PROTECTED]] Sent: Monday, October 14, 2002 8:59 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] .htaccess and db authentication I was wondering about people's thoughts on file security through php using database authentication. Take the following example: I have a folder (in webroot) called /videos/ which contains a heap of files like so: video_1_14-06-2002.mpg video_2_15-06-2002.mpg video_3_16-06-2002.mpg video_4_17-06-2002.mpg Now, in a database I have table with a heap of users, with some sort of security identifier which allows them to access only the files they are given access to. Now, doing this in PHP is no problem, but I want to be able to stop them from 'predicting' what the next filename would be and just typing that in. I thought about using .htaccess, where if they try to access one of the files, it sends it off to a php page which authenticates and displays a list of files they are allowed to view, although I would like it if they had the opportunity to type in the url of the file if they are actually authorized to do so. I would prefer not to keep a file listing of allowed usernames and passwords using .htaccess, as this information could potentially be updated frequently with a large amount of users (or would this not be a problem). Has anyone implemented this type of system before? are there any good resources people know of for this type of thing? Thanks, Adam. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
