Hi,
I just wondered if it would be possible to password protect say an xls or doc file (Excel & Word) in PHP? I know I can use .htaccess, but I'd like to know if there is a way to avoid that.

Also, I wonder if it is possible to access a folder one level above the root? For example if the root is se/public_html/ , would se/test/files.php be accessable? Perhaps not from the web, but would a PHP script in the root be able to access it?

You seem to have answered your own question :)

You can protect non php documents with php provided they are not in the web root (or more correctly not accesible via the web server) . If the browser can call the document directly from the webserver then the protection has to be by the webserver, but if the files are in a safe directory where they cannot be loaded directly by the browser (e.g. above the web root) then you can allow users to download them only by going through a PHP script.

To confirm then the answer to the last part is yes, your PHP script can access files anywhere on the server provided it has permissions to do so. This will depend on your server setup but many decent hosting accounts will give you a home directory a level above the public_html directory which is the web root. Set up a directory there with the docs in and your PHP script can open them, read them in and squirt them out to the browser (can be done in as little as one call depending on oyur exact requirements).

HTH,

Dai

I'm afraid I didn't exactly answer my own question. I wanted to know if I can password protect files other than PHP files. I knew that if I put files out of reach for most anyone, they should be pretty safe. This is what I was thinking:
I protect PHP files by putting these lines at the top of the protected files (and a script then checks for authentication):

<?php
header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
header("Pragma: no-cache"); // HTTP/1.0

if (file_exists ("../../auth.php")){
include_once ("../../auth.php");
include_once ("../../authconfig.php");
include_once ("../../check.php");
}else{
if (!headers_sent()) {
header ('Location: $login');
exit;
}
}
if (isset($_GET['id'])){
$ID=$_GET['id'];
}else{
$ID="start";
}
?>

Obviously, I can't just add these lines to a spreadsheet (or can I?) and rename the file to *.xls.php (yes, it would still open in Excel with that new name). So, is there another way? Can such files be opened and presented with a PHP script if they are put in a dir above public_html?

Can files above public_html be accessed by using relative references, or do one have to use the absolute path?

Regards from Bjørn (pronounced bj-earn as in earn money, US accent)

yes, the way you do it is to have a php script which includes your standard PHP authentication, then it reads the contents of the safe directory and displays it as a set of links to itself with the filename as a parameter (for example). When they click one of the links (say for example the one for "file.xls") your script opens the file "file.xls" from the safe directory and sends the content to the browser in the same way as if they had opened it directly.

Because they can only get the file through your PHP script and beause your PHP script is protected by your authentication code, the file is also protected.

Dai

:D Thank you, Sir! Now I have something to do in the weekend (just kiddin' ;) ) Just what I wanted.

There's still that other thing, though, about relative vs. absolute reference? I would guess that I have to use the absolute path in the script that reads the safe dir?

Regards
Bjørn

I am not 100% certain but I think you should be able to use relative paths in most of the calls you will use, though I could be wrong. Certainly absolute paths will work and it is easy enough to find the absolute path of the current script.

I know I'm a bit late, but I just want to tie up a loose end here.
It is possible to access files in directories above the web root by using relative paths.
It has to be done in the script, though, just entering domain.com/index.php?dir=../filename in the browser wont work. Inside the script it will work fine.