Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to password protect downloadable pdf files in website

I am having a personal portfolio website and i have a some pdf files like

<a href="file.pdf">Some file</a>

I dont want everyone to download the file, and i want it to protect it with password,so that i can share it with only the people i know

where only the person who gives the correct password is able to download my file

Note: 1. since its a personal portfolio website it do not have any "LOGIN's"
2. I have designed the webpage with HTML as a responsive code

Your suggestions please, any way of doing it without .htaccess ??

like image 332
D3vil_Mind Avatar asked Oct 30 '12 19:10

D3vil_Mind


2 Answers

You need to use a php file to feed the file through where the pdf files are stored in a NON PUBLIC folder.

For example, put your pdfs in a non public accessible directory, let's say: /home/pdfs/

And your PHP script in a public accessble directory, let's say: /home/public_html/

Inside the script in the public directory put:

if (isset($_GET('password')) {
die('wrong password');
}

if ($_GET['password'] != 'mypass') {
die('wrong password');
}

$file="/home/pdfs/test.pdf";
header("Pragma: public");
header('Content-disposition: attachment; filename='.$file);
header("Content-type: ".mime_content_type($file));
header('Content-Transfer-Encoding: binary');
ob_clean();
flush();
readfile($file); 

Use GET values to determine the file to download, but to ensure better security only allow .pdf extensions, strip all other periods and slashes to prevent them from traversing the directories of your server and being given important security files containing passwords etc!!! To be even safer still only name your pdf files using characters a-z 0-9 and - or _

And then when you wish to download a file craft the correct URL to the script above, and ensure the pdf file exists in the non public directory.

like image 126
HenchHacker Avatar answered Sep 22 '22 13:09

HenchHacker


Use MySQL or MySQLite - depending on your preference - and store the link to the PDF in the database. Then use a script such as download.php. Store a password for the file in the database and require the user to enter it before the file is downloaded. If you're unfamiliar with databases you COULD do it all in PHP.

A VERY rough mockup (Without a database, if you are familiar with dbs, adjust accordingly)

HTML Form

<form name="download" id="download" method="post" action="download.php">
  <input type="password" id="password" name="password" />
  <input type="submit" id="submit" value="Download" />
</form>

PHP (download.php)

<?php
     // Get the password
          $pw = md5($_POST['password']);

     // Compare against the stored password
          $valid_pw = md5("your password you want to use");

          if($pw != $valid_pw){
               echo "Error! You do not have access to this file";
          }else{
               header("Location: /path/to/your/file.pdf");
          }
?>

NOTES:

I used an extremely basic method of encrypting the password. I would research better methods if this was my application but for the sake of brevity and ease of understanding, I used a simple md5() hash comparison.

like image 24
rws907 Avatar answered Sep 18 '22 13:09

rws907