/    Sign up×
Community /Pin to ProfileBookmark

Prevent linking directly to files..

Copy linkTweet thisAlerts:
Nov 26.2010

Hey guys, I’m wanting to know if there is an easy way to prevent people accessing files through their url.. I have a login set up using php sessions and it works well for preventing people going to pages but if you put in a file’s address it won’t prevent you accessing it (as I can’t have the file request sessions). I could use the cpanel’s directory passwording (this works) but I prefer using the php login as I can customize it how I like.

any help/suggestions appreciated,

cheers bob

to post a comment
PHP

7 Comments(s)

Copy linkTweet thisAlerts:
@kingdmNov 30.2010 — Hi.

If I understand your concern correctly, I suggest that you have you enclosed the script on a if-else statement. Example :

[code=php]
<?php
session_start();

if(isset($test_var)) { // $test_var is a session variable from your other pages relative to this page
// your page script here
}

else {
// redirect to an error page
header('Location: error_page.php');
exit;
}
?>
[/code]
Copy linkTweet thisAlerts:
@lilfellabobauthorNov 30.2010 — No that won't work because I'm talking about putting in the url to the file and then having that file either opened or downloaded. I cannot put that code in the file..
Copy linkTweet thisAlerts:
@criterion9Nov 30.2010 — Most people use a script to serve the files so they can still use session variable. file_get_contents is a popular choice for this.
Copy linkTweet thisAlerts:
@DasherNov 30.2010 — You can use .htaccess to prevent files or directories from being accessed directly;

[CODE]
<FilesMatch ".(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
[/CODE]
Copy linkTweet thisAlerts:
@NogDogNov 30.2010 — Another common strategy is to put the files outside of the web root directory tree. Then either by doing that or using Dasher's suggestion, you then create a login-controlled file-server script as Criterion suggested. You call it with a file name or ID in the query string (the latter being perhaps better, as you can then validate it against a database where you get the actual file path-name). Then if the user is valid and the file is valid, set any desired content-type headers via header() (again, that might be in the D? and the readfile() the selected file.
Copy linkTweet thisAlerts:
@DasherNov 30.2010 — Depending on how many files are involved I have used an array when the number of files is fairly low and a database when there are a lot of entries to manage.

[code=php]
// the array

$myfilearray = array (
0 => '1001.htm',
1 => '1002.htm'
);

// etc..
// ============== Get the ID from URL =============

// Url looks like http://www.mywebsite.com/?id=1


$my_file=$_GET['id']; // file id is an integer.

if ($my_file == "")
{
$my_file=0;
}


// ============= Load the correct file ===============
if (array_key_exists($my_file,$myfilearray)){
$result = include ($myfilearray[$my_file]); //include the file
if ($result != TRUE)
{
include("404.htm"); // on error load no file found.
}
}
//============================================
[/code]
Copy linkTweet thisAlerts:
@lilfellabobauthorDec 01.2010 — alright sweet, that sounds like what I need, thanks criterion9/Dasher!
×

Success!

Help @lilfellabob spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...