Advanced Search

Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Protect uploaded files from non members

  1. #1
    Join Date
    Jan 2007
    Posts
    629
    Thanks
    10
    Thanked 28 Times in 28 Posts

    Default Protect uploaded files from non members

    Once a file is uploaded to my server, I need to make it so that no one can view it unless they are logged in via PHP's SESSION function. I am open to any and all suggestions as to accomplishing this. Some things I was thinking about:

    1. Using a scrpt (if there is a way; I am leaning away from .htaccess for this)
    2. Splitting the file and storing it as halves, then putting it together for output (if possible)
    3. encrypting the file and storing it, then unencrypting and outputing


    Any other ideas or information on one of those? The bottom line is that I want to prevent nonmembers from accessing content without bugging the users. It would also be nice if it processes quickly and the work is minimal.

    EDIT: One more point to ponder: different users will be able to view different things. (i.e. Joe Somebody can view video.MPEG, but not video2.MPEG)
    Last edited by Jas; 11-10-2007 at 04:54 AM.
    --Jas
    function GreatMinds(){ return "Think Like Jas"; }
    I'm gone for a while, but in the meantime: Try using my FTP script | Fight Bot Form Submissions

  2. #2
    Join Date
    Aug 2005
    Location
    Other Side of My Monitor
    Posts
    3,486
    Thanks
    5
    Thanked 105 Times in 104 Posts
    Blog Entries
    1

    Default

    One easy way is to sett session variables.

    after the member logs in they are taken to a new page I assume, one that non members don't see. in the top of this page put:

    PHP Code:
    session_start();
    $_SESSION['allowed'] = yes
    Then on the download page put this at the top:

    PHP Code:
    session_start();
    if (
    $_SESSION['allowed'] != "yes") die('Inavlid download attempt'); 
    As for your edot: request, you should use .htaccess. You can protect individual files this way and .htaccess is the most secure methd of protection right now (IMO).

    For more Ideas see this page
    {CWoT - Riddle } {OSTU - Psycho} {Invasion - Team}
    Follow Me on Twitter: @Negative_Chaos
    PHP Code:
    $result mysql_query("SELECT finger FROM hand WHERE id=3");
    echo 
    $result

  3. #3
    Join Date
    Jan 2007
    Posts
    629
    Thanks
    10
    Thanked 28 Times in 28 Posts

    Default

    Thank you! I haven't had time to really read it-- i've just skimmed it-- but it looks like it's what I need. If nothing else, it'll help. Thanks!
    --Jas
    function GreatMinds(){ return "Think Like Jas"; }
    I'm gone for a while, but in the meantime: Try using my FTP script | Fight Bot Form Submissions

  4. #4
    Join Date
    Jan 2007
    Posts
    629
    Thanks
    10
    Thanked 28 Times in 28 Posts

    Default

    EDIT: Okay, so my question now is, will this work:
    Code:
    Order allow,Deny
    deny from all
    allow from 127.0.0.1
    I have an PHP script that will force the download, but will this allow only that script to access the files in question? (It will probably have to be changes to the hosting IP when the server goes online, right?) It appears to work, but I don't know if this is a good solution. What do you all think?
    Last edited by Jas; 11-11-2007 at 04:47 PM.
    --Jas
    function GreatMinds(){ return "Think Like Jas"; }
    I'm gone for a while, but in the meantime: Try using my FTP script | Fight Bot Form Submissions

  5. #5
    Join Date
    Sep 2006
    Location
    St. George, UT
    Posts
    2,769
    Thanks
    3
    Thanked 157 Times in 155 Posts

    Default

    You could probably use htaccess to prevent viewing of files in a directory, if that's an option for you.

    Hope this helps.
    "Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music." - Kristian Wilson, Nintendo, Inc, 1989
    TheUnlimitedHost | The Testing Site | Southern Utah Web Hosting and Design

  6. #6
    Join Date
    Jan 2007
    Posts
    629
    Thanks
    10
    Thanked 28 Times in 28 Posts

    Default

    Quote Originally Posted by thetestingsite View Post
    You could probably use htaccess to prevent viewing of files in a directory, if that's an option for you.

    Hope this helps.
    Thanks thetestingsite

    I've already done Options -index if that's what you mean. It's a great trick, but I am looking to away to prevent people form getting to the file with an absolute URL-- whether a link or typed.
    --Jas
    function GreatMinds(){ return "Think Like Jas"; }
    I'm gone for a while, but in the meantime: Try using my FTP script | Fight Bot Form Submissions

  7. #7
    Join Date
    Aug 2005
    Location
    Other Side of My Monitor
    Posts
    3,486
    Thanks
    5
    Thanked 105 Times in 104 Posts
    Blog Entries
    1

    Default

    okay two different things here. php scripting and .htaccess are not the same thing. Your order Deny function is an .htaccess module. It goes in a file named .htaccess somewhere usually at the /root of your server.

    php scripting will go on the pages. .htaccess is the most secure method of securing files, and it will work like this:

    The best way to secure content on your website is to use .htaccess/.htpasswd protection. This will password protect any directory and all directories below. You will need to create a .htaccess file which you put in the directory you want to protect. You will also need to create a .htpasswd file which you will put out of reach (see tip on Securing Your Package). The .htaccess file should contain the following:

    AuthUserFile /full_unix_path_to_your_file/.htpasswd
    AuthName "Any Name You Want"
    AuthType Basic
    require user username

    Where username is the name of the user specified in the .htpasswd file.
    You can also make that last line
    require valid-user
    to accept any user specified in the .htpasswd file.

    You can also limit the password protection. For example put the .htaccess code inside these tags
    <files file.ext>
    htaccess protection code goes here
    </files>
    to limit the password protection to just the file "file.ext".

    The .htpasswd file should genrally be put at your ftp root (above the public directory). It is in the form:

    user:encrypted password

    The best way to create these files is using notepad (for example create htaccess.txt in notepad), then upload, then rename on the server (.htaccess).
    {CWoT - Riddle } {OSTU - Psycho} {Invasion - Team}
    Follow Me on Twitter: @Negative_Chaos
    PHP Code:
    $result mysql_query("SELECT finger FROM hand WHERE id=3");
    echo 
    $result

  8. #8
    Join Date
    Jan 2007
    Posts
    629
    Thanks
    10
    Thanked 28 Times in 28 Posts

    Default

    Sorry! I meant that I was using PHP AND .htaccess. I was wondering if this .htaccess would work with a DLing PHP script that I already have.

    The PHP script uses headers to "force" a DL box to popup for the user. I set up .htaccess to block all files EXCEPT to the IP address of the server. That way, no on can access the files directly, only PHP can get to them. Will that work, or am I on the wrong track?
    --Jas
    function GreatMinds(){ return "Think Like Jas"; }
    I'm gone for a while, but in the meantime: Try using my FTP script | Fight Bot Form Submissions

  9. #9
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,156
    Thanks
    262
    Thanked 690 Times in 678 Posts

    Default

    Well, .htaccess shouldn't be involved in the server, I don't think. (Honestly, I didn't read the posts before this, so I might just be operating on bad guesses.)

    The way you could set that is easy--
    Disallow everyone access to a folder.
    Place the files in that folder.
    Use PHP to retrieve the files; PHP won't be stopped as it's on the same machine; local access; ie, you won't need to allow the server's IP, etc. (Some permissions should be set on the files, though, so PHP can read them, I think.)
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  10. #10
    Join Date
    Jan 2007
    Posts
    629
    Thanks
    10
    Thanked 28 Times in 28 Posts

    Default

    I am a little confused by your answer. You seem to be contradicting yourself in that post, or else I am just REALLY lost. Could you a explain a little better djr33?
    --Jas
    function GreatMinds(){ return "Think Like Jas"; }
    I'm gone for a while, but in the meantime: Try using my FTP script | Fight Bot Form Submissions

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •