RE: [PHP] How Do You Protect Individual Files
On Wednesday 21 August 2002 10:54, Roger Lewis wrote: I did, but like I said, I couldn't find much. Maybe I wasn't using the correct key words. There is a lot about protecting php and html files but not much on other, non-php files in external directories. There is some discussion about .htaccess, but I know nothing about this. Is that the way to do it, or can it be done with php. Justin French, Tuesday, August 20, 2002 10:40 PM In real short, you want to store the files outside your htdocs root (so they can't be served by http), OR restrict them from being served by using a htaccess file (try an apache list, the apache site, or your ISP sys admin). Then, you want to serve those files THROUGH a PHP script. Usually these scripts will: - authenticate a user - set the right mime-type header for the file type using header() - parse the requested file though the PHP script to the browser There were a few recent threads on this... search for the following subject lines in the archives: - Authenticate files downloads - secure files acess Finally, there is a decent script/article/tutorial on the Zend site (another place you should have looked), which is the basis for my code at the moment. http://www.zend.com/zend/trick/tricks-august-2001.php Well, I originally searched for protect file downloads. I also searched protect individual files, protect files, authenticate files, and on and on. There are thousands of messages, but very few with relevant titles or content. One point to consider: I have no control over the files themselves. They are being uploaded to the document directories by end users, so I do not know the file names. What I am trying to do is prevent someone who knows the path to the file from being able to gain access to it without authorization. One of the best ideas I saw was to put the files outside the web root directory. That sounded pretty good until I discovered that then I couldn't access the files. Now you've again pointed out that solution, so I'm sure it will work. I've just got to study up on the subject. I ran across the Zend article a couple of weeks ago, but it's going to take me awhile to understand it. I'm pretty new at this game, and my programming skills are very limited. I'm going to research .htaccess also. Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How Do You Protect Individual Files
on 22/08/02 2:15 AM, Roger Lewis ([EMAIL PROTECTED]) wrote: Well, I originally searched for protect file downloads. I also searched protect individual files, protect files, authenticate files, and on and on. There are thousands of messages, but very few with relevant titles or content. I was giving you exact subject lines from threads, not suggested search terms. And I also advised that they were VERY recent threads. One point to consider: I have no control over the files themselves. They are being uploaded to the document directories by end users, so I do not know the file names. That's fine. There's plenty of code for file uploading, including the PHP manual which has a full example. when you move_uploaded_file(), you need to move it to the target directory of restricted download files. What I am trying to do is prevent someone who knows the path to the file from being able to gain access to it without authorization. I understand what you're trying to achieve, and it IS asked on here weekly. Sign, again, here's the components you need: 1. an authorisation/session/user system of some form, based on PHP... in other words, I login via a PHP script, and then I walk around your site as a validated user. 2. a file storage method which enables you to store files in your disc hierarchy, but does not allow the files to be DIRECTLY served via HTTP. the two methods for this are: a) store your files ABOVE your web document root b) store your files within (below) your document root, and prevent them from being served by the use of a htaccess file. for this, place a file named .htaccess in the directory you want to protect (eg mydocroot/mp3/) with something like this in it: Files ~ \.inc$ Order Allow,Deny Deny from all /Files the above code prevents all *.inc files from being served via HTTP. Changing \.inc$ to \.mp3$ would refuse serving of all MP3 files. I'm NOT an apache geek at all, but my guess is that Files ~ * Order Allow,Deny Deny from all /Files Will refuse all files within the dir you place the .htaccess file. 3. you need a script which checks for a validated user, offers a range of files that can be downloaded, then when you click on one, check your a valid users, sets the correct mime-type, and parses the file through the php script to your browser. All of this is available in the Zend article I posted: http://www.zend.com/zend/trick/tricks-august-2001.php So, now you should have everything you need. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How Do You Protect Individual Files
Justin, Thanks again. I've been doing some more research on .htaccess. The problem I see is that it is high maintenance, i.e. I've already got a MySQL table of users with username and password. To use .htaccess, you have to have a htpasswd file containing duplicate usernames and passwords, and this would have to be in sync with the MySQL table. I have found that there is an Apache module, mod_auth_mysql, that allows .htaccess to access a MySQL database for the information it needs. This module is available at http://www.diegonet.com/support/mod_auth_mysql.shtml. Problem is you have to install the mod and recompile Apache, I think. And I don't know how to do that yet. However, if everything works in accordance with my interpretation, you should be able to put an .htascess file into the directory you wish to protect and Mod_auth_mysql will communicate with the database to authenticate the users. Roger -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How Do You Protect Individual Files
on 22/08/02 1:10 PM, Roger Lewis ([EMAIL PROTECTED]) wrote: Justin, Thanks again. I've been doing some more research on .htaccess. The problem I see is that it is high maintenance, i.e. I've already got a MySQL table of users with username and password. To use .htaccess, you have to have a htpasswd file containing duplicate usernames and passwords, and this would have to be in sync with the MySQL table. NO. All the .htaccess file would do in this case is prevent the files from being served over http AT ALL. Instead, the files are served THROUGH a PHP script which checks for authenticated user first. I have found that there is an Apache module, mod_auth_mysql, that allows .htaccess to access a MySQL database for the information it needs. This module is available at http://www.diegonet.com/support/mod_auth_mysql.shtml. Problem is you have to install the mod and recompile Apache, I think. And I don't know how to do that yet. However, if everything works in accordance with my interpretation, you should be able to put an .htascess file into the directory you wish to protect and Mod_auth_mysql will communicate with the database to authenticate the users. You don't need anything more that a standard Apache, PHP and MySQL install. Read my last email again, and again, and again. It (hopefully) clearly sets out what you need, and how each part interacts. I don't know how to be much clearer, without doing it for you (which I can do, at a cost :)) Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How Do You Protect Individual Files
On Wednesday 21 August 2002 08:59, Roger Lewis wrote: I haven't been able to find much on this subject in the archives. Using sessions I have been able to have the server validate the user's access level before serving him a page. I put include files on each page that I want authenticated. This is all well and good, except on my pages there are links to non-html, and non-php files that are stored in document directories on the server. How, on a file-by-file basis, do I ensure that the user is authorized to download these files? If he gets to them through the link I provide, this is acceptable because he is already authorized to view the page that the link is on. However, if he somehow knows the full path to the file, he can get to it directly, bypassing the link and overriding the authentication system. Try searching the archives. It has been discussed many times before. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Dealing with the problem of pure staff accumulation, all our researches ... point to an average increase of 5.75% per year. -- C.N. Parkinson */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How Do You Protect Individual Files
On Wednesday 21 August 2002 08:59, Roger Lewis wrote: I haven't been able to find much on this subject in the archives. Using sessions I have been able to have the server validate the user's access level before serving him a page. I put include files on each page that I want authenticated. This is all well and good, except on my pages there are links to non-html, and non-php files that are stored in document directories on the server. How, on a file-by-file basis, do I ensure that the user is authorized to download these files? If he gets to them through the link I provide, this is acceptable because he is already authorized to view the page that the link is on. However, if he somehow knows the full path to the file, he can get to it directly, bypassing the link and overriding the authentication system. On Tuesday, August 20, 2002 7:24 PM, Jason Wong wrote: Try searching the archives. It has been discussed many times before. Jason, I did, but like I said, I couldn't find much. Maybe I wasn't using the correct key words. There is a lot about protecting php and html files but not much on other, non-php files in external directories. There is some discussion about .htaccess, but I know nothing about this. Is that the way to do it, or can it be done with php. Roger -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How Do You Protect Individual Files
On Wednesday 21 August 2002 10:54, Roger Lewis wrote: I did, but like I said, I couldn't find much. Maybe I wasn't using the correct key words. There is a lot about protecting php and html files but not much on other, non-php files in external directories. There is some discussion about .htaccess, but I know nothing about this. Is that the way to do it, or can it be done with php. Try protect file download or something along those lines. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Don't make a big deal out of everything; just deal with everything. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How Do You Protect Individual Files
On Wednesday 21 August 2002 10:54, Roger Lewis wrote: I did, but like I said, I couldn't find much. Maybe I wasn't using the correct key words. There is a lot about protecting php and html files but not much on other, non-php files in external directories. There is some discussion about .htaccess, but I know nothing about this. Is that the way to do it, or can it be done with php. In real short, you want to store the files outside your htdocs root (so they can't be served by http), OR restrict them from being served by using a htaccess file (try an apache list, the apache site, or your ISP sys admin). Then, you want to serve those files THROUGH a PHP script. Usually these scripts will: - authenticate a user - set the right mime-type header for the file type using header() - parse the requested file though the PHP script to the browser There were a few recent threads on this... search for the following subject lines in the archives: - Authenticate files downloads - secure files acess Finally, there is a decent script/article/tutorial on the Zend site (another place you should have looked), which is the basis for my code at the moment. http://www.zend.com/zend/trick/tricks-august-2001.php Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
