restrict access to directory

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

I think I have more or less got to grips with basic session management,
but I have a problem protecting a whole directory.

I am making a website with a members area. I have used some basic
session management to create a login page and then use the session to
control access to other pages.

I need to have a directory within the members area where the
organisation will upload files such as minutes of meetings, agendas,
etc. etc.. I want to be able to list the files in this directory on a
members only page, which I can do with opendir() readdir() etc. and some
formating to put links around the filenames.

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

Thanks
Chris

The site in question is http://www.rba.org.fk

I think I have more or less got to grips with basic session management,
but I have a problem protecting a whole directory.

I am making a website with a members area. I have used some basic
session management to create a login page and then use the session to
control access to other pages.

I need to have a directory within the members area where the
organisation will upload files such as minutes of meetings, agendas,
etc. etc.. I want to be able to list the files in this directory on a
members only page, which I can do with opendir() readdir() etc. and some
formating to put links around the filenames.

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

Thanks
Chris

The site in question is http://www.rba.org.fk

Save the file in a folder that's not accessible through Apache, then use a
PHP script for file downloading:

<a href="download.php?file=whatsup.doc"> ... </a>

download.php:

$file = basename($file);
$filepath = "$download_folder/$file";

... check to see if user is logged in ...

header("Content-type: application/x-octet-stream");
header("Content-Disposition: attachment; filename=$file");
session_write_close();
readfile($filepath);

Saving user uploaded file in an Apache-accessible folder is rather
dangerous. If you forget to disable scripting on that folder, you could end
up allowing execution of arbitrary code on your server.

In article <bt************@ID-134007.news.uni-berlin.de>, Chris Harris wrote:

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

If you're using a linux/unix server, google .htaccess.

That depends on what you mean by "knows the full path"

That depends on what you mean by "knows the full path"

What I meant was that for example a file is located at

www.yoururl.com/membersonly/docs/somedoc.

Members only can't be listed (.htaccess), neither can docs, but if
somebody knows the full path and name they can enter that url in their
browser and go straight to it.

I know I'm missing something fundamental here, but don't know enough
about the subject to identify the fundamental ;-)

Chris

as was mentiond here, save the files some where else.

ex:

/useraccount/www
/useraccount/logs
/useraccount/download_files

yuour script can get to it by "../download_files/filename" but URLs:
http://www....... can not.