Reputation: 1144
Stop users from accessing files from url using PHP?
Is there a way to stop users from typing in a url and gaining access to a file in a specific directory but still allow a PHP script to have access to the file to change it or download it?
In other words, I want to stop people from typing in: http://www.mysite.com/securefolder/file1.pdf. Maybe redirect them to a different page or something.
But I do not want to completely lock away the files because I still need to use a PHP script to download and modify the files.
Any help is appreciated, Thanks
Upvotes: 0
Views: 3198
Answers (5)
Reputation: 96258
Disable direct access to the file on the webserver, and serve the file from a PHP script (some hints on this manual page: http://www.php.net/manual/en/function.readfile.php). Webserver access restictions won't affect PHP, as it is directly accessing the filesystem. Here's a similar question: Secure files for download
If performance is critical, there is plugin for most of the webservers which will help you to serve the file directly (bypassing PHP):
- Apache mod_auth_token
- Lighttpd mod_secdownload
- Nginx secure_download
Upvotes: 2
Reputation: 50858
If the files are on the same server, you don't need to download them in order to serve them. Simply read them from the filesystem and output them directly.
If, however, they're not, and you need a script to be able to download files, and others to be refused, you could password protect the directory.
To then download files using for instance cURL, you can specify the following options:
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
More information
Upvotes: 1
Reputation: 1700
Place your data file outside of the public web space. Read the file using PHP and serve.
There is no reason for the source file to be located within the web host's DocumentRoot unless you want the file to be served publicly.
A PHP script runs as local user and so is able to read the file even outside the scope of Apache (or other) web server.
Upvotes: 0
Reputation: 162791
The ideal approach will depend on whether the PHP script accesses the PDF file locally on disk, or remotely over http.
If the PHP script accesses the file locally on disk, simply place the file outside the root folder of the web site.
If the PHP script access the file remotely over http, here are some options:
Limit access by origin IP
Password protect the resource and serve over https
Upvotes: 1
Reputation: 47966
If all you want is a specific setting for a certain file a very simple rule will be all you need -
RewriteEngine on
RewriteRule ^/securefolder/file1.pdf$ access_denied.php
What might be a better idea is to make a rule for the entire secured folder -
RewriteEngine on
RewriteRule ^/securefolder/.*$ access_denied.php
One last (and probably best) way to do this is to create an additional .htaccess inside the secured folder and simply deny all access to it. Place this one line -
deny from all
In all of the solutions, we are only talking about external requests. All your scripts and internal paths to scripts, files, etc... will remain intact and unaffected by the rules you define within the .htaccess files.
Upvotes: 3
Related Questions
- Prevent PHP code from executing if form was not submitted
- How to prevent users from accessing files directly from url?
- deny access of php file from url htaccess
- Deny access to directory files via browser with htaccess
- Prevent direct url access to files
- PHP How can I block direct URL files access
- Deny direct access to files using htaccess
- Make files not accessible via URL
- PHP - Deny folder access without direct link to file?
- Prevent access to files from Apache without .htaccess