Posted by J.O. Aho on 11/23/06 13:19

Micko wrote:
> I want to write a script that doesn't let anybody download file but only
> the logged in users. I wrote a script for downloading the files but it
> still lets someone to enter a URL and download it.
> Example:
> My file is www.server.com/uploads/bla.txt
> The logged user gets it throught www.server.com/download.php?file=bla.txt
> But someone can still download it by typing in the URL
>
> Can this be forbidden, maybe with chmod for reading and only allowe
> reading and not users it for server or maybe during the download?
>
> How to solve this?

You need to place those down loadable files outside the server accessible
directories (if using Apache server, you may have the possibility to limit
access with .htaccess)

HomeDirectory
- Public_HTML
- Download_Files

Assume your account directory is one step closer to the root than your
directory with all the html/php pages.
Now you create a download script, which does

1. check that the user is allowed to download
2. that the file that is asked for is placed in Download_Files
3. see to that output buffer isn't used ob_end_flush() is a good one
4. send proper file headers for the file to be sent header()
5. send the file data, you can use readfile() or fpassthru()

Don't try to make any HTML data on the script, just lets call it sendfile.php

Then you can call the script with
http://www.example.net/sendfile.php?filename=something.jpg

If the person is logged in, and there is a such file (you have to be careful
with paths, there are people who may try your script to access other files on
your system too, so filter away all directory changes like '../' from the
filename) then the person gets the file, if not, then nothing should be sent.


//Aho

[Back to original message]