Hey guys, I'm wanting to know if there is an easy way to prevent people accessing files through their url.. I have a login set up using php sessions and it works well for preventing people going to pages but if you put in a file's address it won't prevent you accessing it (as I can't have the file request sessions). I could use the cpanel's directory passwording (this works) but I prefer using the php login as I can customize it how I like.
No that won't work because I'm talking about putting in the url to the file and then having that file either opened or downloaded. I cannot put that code in the file..
Another common strategy is to put the files outside of the web root directory tree. Then either by doing that or using Dasher's suggestion, you then create a login-controlled file-server script as Criterion suggested. You call it with a file name or ID in the query string (the latter being perhaps better, as you can then validate it against a database where you get the actual file path-name). Then if the user is valid and the file is valid, set any desired content-type headers via header() (again, that might be in the DB) and the readfile() the selected file.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Depending on how many files are involved I have used an array when the number of files is fairly low and a database when there are a lot of entries to manage.
// etc..
// ============== Get the ID from URL =============
// Url looks like http://www.mywebsite.com/?id=1
$my_file=$_GET['id']; // file id is an integer.
if ($my_file == "")
{
$my_file=0;
}
// ============= Load the correct file ===============
if (array_key_exists($my_file,$myfilearray)){
$result = include ($myfilearray[$my_file]); //include the file
if ($result != TRUE)
{
include("404.htm"); // on error load no file found.
}
}
//============================================
Reply With Quote
Bookmarks