/    Sign up×
Community /Pin to ProfileBookmark

Security: PHP and PDFs

Copy linkTweet thisAlerts:
May 13.2004

Hello!

I am trying to create a members only area on a website. I’m using PHP to log them in. I have a page that contains links to PDF documents stored in another directory. When they are logged in, the links appear. Otherwise they get a limited number of other links.

What I need to know is how to I prevent people from bypassing the page of links and going directly to the PDF. I can’t use .htaccess to password protect the directory because I have hundereds of users that are constantly expanding and changing.

Is there a way to allow linking to a file in a directory buy not direct access to the files in the directory? I have seen a way to do with with htaccess and allowing only requests with referrers I choose, but this doesn’t work on IE and I have limited control on the hosting server.

Is my only solution to convert all the PDFs to html then protect them with php?

Thanks for the help!!

to post a comment
PHP

7 Comments(s)

Copy linkTweet thisAlerts:
@AdamGundryMay 14.2004 — PHP can serve any filetype, not just plain HTML. Here's how you send a PDF:

[code=php]$pdfFile = 'myfile.pdf';
header('Content-Type: application/pdf');
header('Content-Length: ' . filesize($pdfFile));
header('Content-Disposition: inline');
readfile($pdfFile);[/code]

That way you can use your PHP login code and keep the original PDF hidden.

Adam
Copy linkTweet thisAlerts:
@sherriauthorMay 14.2004 — Hmm... thanks.. I'll give that a try!
Copy linkTweet thisAlerts:
@sherriauthorMay 17.2004 — It doesn't seem to work in IE. I've also tried:


<?

$pdfFile = 'myfile.pdf';

header("Pragma: public");

header("Expires: 0"); // set expiration time

header("Cache-Control: must-revalidate, post-check=0, pre-check=0");


header('Content-Type: application/pdf');

header("Accept-Ranges: bytes");

header('Content-Length: ' . filesize($pdfFile));

header("Content-Disposition: inline; filename=$pdfFile");

header("Content-Transfer-Encoding: binary");


$fp = fopen($pdfFile, 'rb');

$pdf_buffer = fread($fp, filesize($pdfFile));

fclose ($fp);

echo($pdf_buffer);

exit();

?>
Copy linkTweet thisAlerts:
@AdamGundryMay 17.2004 — What do you mean by "it doesn't seem to work in IE"? I haven't had any problems.

Adam
Copy linkTweet thisAlerts:
@sherriauthorMay 17.2004 — If I use the code you provided... I just get a bunch of gibberish displayed in the browser.. not the actual pdf.

If I use the other code... It displays nothing.

Hmm...
Copy linkTweet thisAlerts:
@AdamGundryMay 17.2004 — Just found this in the [url=http://www.php.net/header]PHP manual[/url] (it refers to a similar code for forcing a PDF download):

Note: There is a bug in Microsoft Internet Explorer 4.01 that prevents this from working. There is no workaround. There is also a bug in Microsoft Internet Explorer 5.5 that interferes with this, which can be resolved by upgrading to Service Pack 2 or later.[/quote]

I'm not sure what the best workaround is. You might be able to use .htaccess to force a PDF filename to parse as a PHP script, thereby avoiding the IE bug.

Adam
Copy linkTweet thisAlerts:
@sherriauthorMay 17.2004 — I'm using version 6.0.


Thanks for the suggestions! I'll look into it further.
×

Success!

Help @sherri spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.2,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,
)...