By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,722 Members | 1,904 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,722 IT Pros & Developers. It's quick & easy.

Password protection and prevent download

P: n/a
Hello all
I'm completely new to php but a complete newbie when it comes to unix.
So please don't laugh about my problem.

I have programmed a nice password check with php, javascript and a
database and it works. But as I have removed the access control with
..htaccess on the server I recognized that everybody can now directly
download all documents without a password, as long as they know the
filename and location.

I assume that for any unix hacker it should not be a problem to find
all filenames somehow.
Is this true ? Have I opened a security hole on the server?
If yes, how can I prevent it. And how can I protect some directories
with sensitive data and only show it when somebody has properly
entered his personal passsword.
I mean is it possible to still use the .htaccess on some directories
and grant access to this directory for those users that correctly
identified itself, without having to enter another password ?

thanks
greets
Juerg
** Posted from http://www.teranews.com **
Sep 5 '08 #1
Share this Question
Share on Google+
1 Reply


P: n/a
Juerg Beck wrote:
I have programmed a nice password check with php, javascript and a
database and it works. But as I have removed the access control with
.htaccess on the server I recognized that everybody can now directly
download all documents without a password, as long as they know the
filename and location.
Suppose your files are in http://www.example.org/files/. If your server
is configured to show a directory index, it will show a list of files
when someone requests http://www.example.org/files/. This is not what you
want, so you could turn of directory index for that directory. That will
make it very hard for any visitor to get a list of files.

Another way to get a list of files is when someone has access to your
server. For example, if you host your site on a shared host, other people
using the same host may be able to get a list of files.

Finally, someone may just guess the filename or pass the URL on to
friends and family.

What you really want is that people can only the files through your
script, and can not pass the URL around.

To do this, you put your files outside of your document so that they are
no longer accessible through http://www.example.org/files/ or any other
URL. To access the file, you make a PHP script which first checks the
password and then serves the file. This makes downloading the file
without the password impossible.

It goes something like this:
<?php
$pass = $_POST['password'];
if ($pass == 'supersecret') {
$file = 'protectedfile.mp3';
// Set some headers to indicate that the user is downloading
// a file
header('Content-type: binary/octet-stream');
header('Content-disposition: attachment; filename='.$file);
header('Content-length: '.filesize($file));

// Pass the file to the visitor.
readfile($file);
} else {
echo 'Wrong password.';
}
?>
Sep 5 '08 #2

This discussion thread is closed

Replies have been disabled for this discussion.