Hey guys, I'm wanting to know if there is an easy way to prevent people accessing files through their url.. I have a login set up using php sessions and it works well for preventing people going to pages but if you put in a file's address it won't prevent you accessing it (as I can't have the file request sessions). I could use the cpanel's directory passwording (this works) but I prefer using the php login as I can customize it how I like.
Another common strategy is to put the files outside of the web root directory tree. Then either by doing that or using Dasher's suggestion, you then create a login-controlled file-server script as Criterion suggested. You call it with a file name or ID in the query string (the latter being perhaps better, as you can then validate it against a database where you get the actual file path-name). Then if the user is valid and the file is valid, set any desired content-type headers via header() (again, that might be in the DB) and the readfile() the selected file.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
// ============== Get the ID from URL =============
// Url looks like http://www.mywebsite.com/?id=1
$my_file=$_GET['id']; // file id is an integer.
if ($my_file == "")
// ============= Load the correct file ===============
$result = include ($myfilearray[$my_file]); //include the file
if ($result != TRUE)
include("404.htm"); // on error load no file found.