Re: [PHP] Protecting files with PHP
Place a .htaccess in the files directory denying all access to it, and also possibly redirecting them to a login page. However since your users should never know about the files/ directory there is no real point :) Then code a PHP script to serve the files just in the same way you would if they were outside of the public_html. Since your PHP script will be reading the files from the file system they will have no problem accessing the files and serving them out. Hope that helps. Andrew - Original Message - From: Maria Garcia Suarez [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 17, 2003 2:58 PM Subject: [PHP] Protecting files with PHP Hi there! I'm developing an application to which you can upload files. Right now the destination folder of those files is at /public_html/files which makes them visible from the internet. I thought of putting that ./files/ folder outside the ./public_html/ folder and make those files be only accessible via PHP pages (if the pages doesn't display a link to that folder there's no way to download the file). But, there's any way to keep on having the ./files/ folder inside ./public_html/ and have those files protected? Right now to identify users (authenticate them) I use session variables... it should be a protection that could be used together with session variables Thanks a lot. Kisses, Maria -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files with PHP
If you place files inside a webfolder, then they are publicly accessible, period. They might not be obvious, ie. you would have to guess that there are files in a specific folder AND know the exact name of the file, but if you do happen to guess correct, then the files are downloadable. There are ways to still have files in public folders and have a measure of extra protection, but that is up to your webserver, and not PHP. Use .htaccess to place a username/password on the folder, or better yet, you can use ftp, but then you place the files outside the webfolder. PHP has built in ftp functions that would allow you to create a pretty secure system to give access to files. On Thu, 2003-07-17 at 15:58, Maria Garcia Suarez wrote: Hi there! I'm developing an application to which you can upload files. Right now the destination folder of those files is at /public_html/files which makes them visible from the internet. I thought of putting that ./files/ folder outside the ./public_html/ folder and make those files be only accessible via PHP pages (if the pages doesn't display a link to that folder there's no way to download the file). But, there's any way to keep on having the ./files/ folder inside ./public_html/ and have those files protected? Right now to identify users (authenticate them) I use session variables... it should be a protection that could be used together with session variables Thanks a lot. Kisses, Maria __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files with PHP
Petre Agenbag wrote: If you place files inside a webfolder, then they are publicly accessible, period. Not true. .htaccess turns a public directory into a private directory. Even if you know the path and filename you want, without an accepted username/password, you're not getting the file. They might not be obvious, ie. you would have to guess that there are files in a specific folder AND know the exact name of the file, but if you do happen to guess correct, then the files are downloadable. There are ways to still have files in public folders and have a measure of extra protection, but that is up to your webserver, and not PHP. Not true. You can easily write php code to secure either certain areas, or the entire web site. Use .htaccess to place a username/password on the folder, or better yet, you can use ftp, but then you place the files outside the webfolder. PHP has built in ftp functions that would allow you to create a pretty secure system to give access to files. FTP bad. Friends don't let friends use FTP. And this isn't a security measure. What's to stop me from bypassing your PHP code, and just FTP'ing directly into your site? Long of the short is, there are numerous ways to secure an area of your site. PHP, .htaccess, web server configuration, any combination of the three. However, the quickest, dirtiest, and most good enough for government way would be .htaccess On Thu, 2003-07-17 at 15:58, Maria Garcia Suarez wrote: Hi there! I'm developing an application to which you can upload files. Right now the destination folder of those files is at /public_html/files which makes them visible from the internet. I thought of putting that ./files/ folder outside the ./public_html/ folder and make those files be only accessible via PHP pages (if the pages doesn't display a link to that folder there's no way to download the file). But, there's any way to keep on having the ./files/ folder inside ./public_html/ and have those files protected? Right now to identify users (authenticate them) I use session variables... it should be a protection that could be used together with session variables Thanks a lot. Kisses, Maria __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files with PHP
I need to do the same and a .htacces file would not suite the problem I need to do as yahoogroups does When you upload a file to the Files section, it send by default an e-mail to the group members with a link to the file When you click on the link, you're sent to a login page, and after login in you get the file.. how can you achieve this with PHP?? an .htaccess file would deny the access, or ask for a username/passwd at HTTP Server level, and that is not the desired effect.. thnx in advanced, Juan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files with PHP
Maria Garcia Suarez [EMAIL PROTECTED] wrote: Hi there! I'm developing an application to which you can upload files. Right now the destination folder of those files is at /public_html/files which makes them visible from the internet. I thought of putting that ./files/ folder outside the ./public_html/ folder and make those files be only accessible via PHP pages (if the pages doesn't display a link to that folder there's no way to download the file). But, there's any way to keep on having the ./files/ folder inside ./public_html/ and have those files protected? Right now to identify users (authenticate them) I use session variables... it should be a protection that could be used together with session variables (assuming your using apache) You can use a .htaccess file to protect the files that are in your public web tree. Although I would not suggest this method for a few reasons: 1. if the .htaccess some how gets modified and changes the deny all rule, your files are open. 2. You (or someone) changes apache conf to not allow support for .htaccess (.htaccess slows web performance) 3. Apache is recompiled without .htaccess support (again performance reasons) 4. Your http process must have write permissions to your public web files. (I suppose a seperate chmod would work but then again see next item) 5. absent mindedness. I would suggest to make the file storage location outside the web tree and have a php script check permissions via your session variables and then send the file. You might want to send a few headers with the file. Content-Type: Content-Length: HTH, Curt -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting files with PHP
Read this -- it got me well and truely pointed in the right direction http://zend.com/zend/trick/tricks-august-2001.php Justin On Friday, July 18, 2003, at 01:36 AM, Juan Nin wrote: I need to do the same and a .htacces file would not suite the problem I need to do as yahoogroups does When you upload a file to the Files section, it send by default an e-mail to the group members with a link to the file When you click on the link, you're sent to a login page, and after login in you get the file.. how can you achieve this with PHP?? an .htaccess file would deny the access, or ask for a username/passwd at HTTP Server level, and that is not the desired effect.. thnx in advanced, Juan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- [This E-mail scanned for viruses] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Protecting files in PHP
I have some files off of the web root which I'd like to be able to serve up to users (*.doc, *.xls). I know I can do this with header(), but how do I reference a file that's outside of the webroot? Thanks! You can use an absolute or relative path, just like any other reference. Send the appropriate headers and then use readfile() to send the data. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
