Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP to protect PDF and DOC

Tags:

php

pdf

download

access-control

I am trying to provide .pdf and .doc files to authorized users on a website. The user can only see the file selection page when logged in but this doesn't prevent an unauthorized user from viewing the documents if they have knowledge of the full URL.

How can I prevent unauthorized users from accessing these files?

like image 478
Mike Avatar asked Sep 15 '11 07:09

Mike

2 Answers

the answer is quite simple, @Jonnix has posted this as I was typing but I will explain a little more for you

one put your files outside of your public HTML directory if your unable to do this look at @Andri answer for an alternative

E.G cpanel setup

user/public_html
    /public_html/download.php

user/documents/
    /documents/file.doc
    /documents/file.pdf

@dhh has posted a basic download.php php file however as your wanting to force download their things you can do like finding and supplying the correct mime type here is an extension on to his code as to the best way to 1 force download of a file, and 2 allow different file types

download.php

//check users is loged in and valid for download if not redirect them out
// YOU NEED TO ADD CODE HERE FOR THAT CHECK
// array of support file types for download script and there mimetype
$mimeTypes = array(
    'doc' => 'application/msword',
    'pdf' => 'application/pdf',
);
// set the file here (best of using a $_GET[])
$file = "../documents/file.doc";

// gets the extension of the file to be loaded for searching array above
$ext = explode('.', $file);
$ext = end($ext);

// gets the file name to send to the browser to force download of file
$fileName = explode("/", $file);
$fileName = end($fileName);

// opens the file for reading and sends headers to browser
$fp = fopen($file,"r") ;
header("Content-Type: ".$mimeTypes[$ext]);
// this header tells the browser this is a download and not to try and render if it is able to E.G images
header('Content-Disposition: attachment; filename="'.$fileName.'"');

// reads file and send the raw code to browser     
while (! feof($fp)) {
    $buff = fread($fp,4096);
    echo $buff;
}
// closes file after whe have finished reading it
fclose($fp);

P.S here is a big list of mime types if you want to add support for other files https://www.freeformatter.com/mime-types-list.html

like image 200
Barkermn01 Avatar answered Sep 26 '22 00:09

Barkermn01

What you can do, is provide the equivalent of a PHP proxy for the files.

Put the files outside of the webroot, then write a script that checks the user is allowed access. If not, redirect them, if they do, set the appropriate headers and output the file data.

like image 32
Jonnix Avatar answered Sep 23 '22 00:09

Jonnix
Sign in to Comment

Related questions

get tagname in xml using php
Call form submit action from php function on same page
PHP session timeout
How to send html table in email body in php?
Magento Extension 404 Error
How can i make the php cos function return the correct value?
How big of an impact does including PHP files have on performance?
How to handle user online status when he/she close the browser?
Long request blocks other requests in Apache and PHP
Zend response application/json utf-8
Why the code execute after redirection
getting all the keys for a map such as $_POST
How to convert this XML request into array in php?
Using JRoute::_() in Joomla administrator
How to parse this table and extract data from it?
Working with classes in PHP
how can I javascript decodeURI in PHP?
how to send an HTML email with an inline attached image with PHP
How to convert text to \x codes?
Split string into into array of character pairs [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!