Secure a Dir

[tobeyt23]

OK so I have a page that a user can not access unless they are logged in works great. On that page I have links to documents, if you direct link to those docs they work. They should not unless you are logged in. How can I implement this?

[Psycho]

Put the documents in a directory that is not publicly available and use PHP to deliver the documents to the user rather than providing them a direct link. What type of documents are they: pdf, doc, txt, ??? And, how do you maintain the document list: in a database, do you read the directory, hard-coded list, ???

[tobeyt23]

mainly they are pdfs and the list is maintained by a database table

[Psycho]

Here is some sample code to get you pointed in the right direction. As I stated before, put the files in a directory that is not publicly available. I will assume that folder is one level up from the current working directory and it is called "secured_docs":

 

Page to display the links to the documents"

if($logged_in)
{
    //Query list of documents
    $query = "SELECT id, name, FROM documents ORDER BY name";
    $result = mysql_query($query);

    //Display links to download the documents
    echo "Here are the secured documents:<br />\n";
    echo "<ul>\n";
    while($doc = mysql_fetch_assoc($result))
    {
        echo "<li><a href=\"download_doc.php?id={$doc['id']}\" target=\"_blank\">{$doc['name']}</a><br /></li>\n";
    }
    echo "</ul>\n";
}

 

Page to download the documents from secured location (download_doc.php)

if($logged_in && isset($_GET['id']))
{
    //Query for selected document
    $docID = (int) $_GET['id'];
    $query = "SELECT name FROM documents";
    $result = mysql_query($query);
    
    //if(mysql_num_rows($result)!==0)
    {
        $document = mysql_fetch_assoc($result);
        //Include function to download files
        include('downloadFunction.php');
        //Download the document
        output_file($file, true);
    }
}

 

Here is the function to download the files. I had this lying around which I picked up somewhere and have made changes to (downloadFunction.php)

function output_file($file, $download=false; $name=false, $mime_type=false) {
   	/*
   	This function takes a path to a file to output ($file), 
   	the filename that the browser will see ($name) and 
   	   	the MIME type of the file ($mime_type, optional).

   	If you want to do something on download abort/finish,
   	register_shutdown_function('function_name');
   	*/
   	//echo "<br><br>file: $file <br>name: $name <br> mime: $mime_type<br><br>";
   	//if(!is_readable($file)) die('File not found or inaccessible!');

   	/* Figure out the MIME type (if not specified) */
   	$mime_types=array(
   	   	'pdf'  => 'application/pdf',
   	   	'txt'  => 'text/plain',
   	   	'html' => 'text/html',
   	   	'htm'  => 'text/html',
   	   	'exe'  => 'application/octet-stream',
   	   	'zip'  => 'application/zip',
   	   	'doc'  => 'application/msword',
   	   	'xls'  => 'application/vnd.ms-excel',
   	   	'ppt'  => 'application/vnd.ms-powerpoint',
   	   	'gif'  => 'image/gif',
   	   	'png'  => 'image/png',
   	   	'jpeg' => 'image/jpg',
   	   	'jpg'  => 'image/jpg',
   	   	'php'  => 'text/plain',
   	   	'rtf'  => 'application/msword'
   	);

$size = filesize($file);
$output_name = ($name) ? rawurldecode($name) : rawurldecode(basename($file));
    $mime_type = (isset($mime_types[$file_ext])) ? $mime_types[$file_ext] : 'application/octet-stream';

    @ob_end_clean(); //turn off output buffering to decrease cpu usage

    // required for IE, otherwise Content-Disposition may be ignored
    if(ini_get("zlib.output_compression")) { ini_set("zlib.output_compression", "Off"); }

    header("Content-Type: {$mime_type}");
    if ($download)
    {
        //Force download
        header("Content-Disposition: attachment; filename='$output_name'");
    }
    header('Content-Transfer-Encoding: binary');
    header('Accept-Ranges: bytes');

    /* These three lines basically make the download non-cacheable */
    header('Cache-control: private');
    header('Pragma: private');
    header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');

    // multipart-download and download resuming support
    if(isset($_SERVER['HTTP_RANGE']))
    {
   	   	list($a, $range) = explode('=', $_SERVER['HTTP_RANGE'], 2);
   	   	list($range) = explode(',', $range, 2);
   	   	list($range, $range_end) = explode('-', $range);
   	   	$range = intval($range);
        $range_end = (!$range_end) ? ($size-1) : intval($range_end);

       	$new_length = ($range_end-$range+1);
   	    header("HTTP/1.1 206 Partial Content");
   	    header("Content-Length: $new_length");
   	    header("Content-Range: bytes $range-$range_end/$size");

   	}
   	else
   	{
   	   	$new_length = $size;
   	   	header("Content-Length: $size");
   	}

   	/* output the file itself */
   	$chunksize = 1*(1024*1024); //you may want to change this
   	$bytes_send = 0;
   	if ($file = fopen($file, 'r'))
   	{
   	   	if(isset($_SERVER['HTTP_RANGE'])) { fseek($file, $range); }

   	   	while(!feof($file) && (!connection_aborted()) && ($bytes_send<$new_length) )
   	   	{
   	   	   	$buffer = fread($file, $chunksize);
   	   	   	print($buffer); //echo($buffer); // is also possible
   	   	   	flush();
   	   	   	$bytes_send += strlen($buffer);
   	   	}
   	   	fclose($file);
        die();
   	}

    //Cold not open the file
    die('Error - can not open file.');
}

[tobeyt23]

thank you much