Hide files from non-members

**Captain Paralytic** · Feb 16 '07, 12:05 PM

Re: Hide files from non-members

On 16 Feb, 11:33, n...@spray.se wrote:

Hello!
I'm trying to secure pdf-files from users that are not logged in on a
site.
What I have tried now is to make a .htaccess file in the directory
where the pdf's are with "deny from all" which stops everyone from
downloading them. Then in the member-area when a user wants to
download a pdf a php-script copies the pdf-file from the secured-
folder to a temp-folder and renames it to some random file-name that
the user can download. Then when the user are ready with the download
I want the temp-file to be deleted automaticly to prohibit other non-
members to find it? How can I do this?
Maybe someone have another totally different solution to secure files?
Regards
/Samuel

Read the file's contents and send it to the terminal with the correct
headers. No need to write a temp file at all.
You will use similar code to this, replacing the database with your
"hidden" files.
Also rather than using .htaccess to deny access, just hold the files
in a directory that isn't in the http root structure.

**Captain Paralytic** · Feb 16 '07, 12:05 PM

Re: Hide files from non-members

On 16 Feb, 11:52, "Captain Paralytic" <paul_laut...@y ahoo.comwrote:

On 16 Feb, 11:33, n...@spray.se wrote:
>

Hello!
I'm trying to secure pdf-files from users that are not logged in on a
site.
What I have tried now is to make a .htaccess file in the directory
where the pdf's are with "deny from all" which stops everyone from
downloading them. Then in the member-area when a user wants to
download a pdf a php-script copies the pdf-file from the secured-
folder to a temp-folder and renames it to some random file-name that
the user can download. Then when the user are ready with the download
I want the temp-file to be deleted automaticly to prohibit other non-
members to find it? How can I do this?
Maybe someone have another totally different solution to secure files?
Regards
/Samuel

>
Read the file's contents and send it to the terminal with the correct
headers. No need to write a temp file at all.
You will use similar code to this, replacing the database with your
"hidden" files.
Also rather than using .htaccess to deny access, just hold the files
in a directory that isn't in the http root structure.

Oops, missed the link!

Radar - O’Reilly

http://www.onlamp.com/pub/a/onlamp/2002/05/09/webdb2.html

Now, next, and beyond: Tracking need-to-know trends at the intersection of business and technology

**Erwin Moller** · Feb 16 '07, 12:15 PM

Re: Hide files from non-members

nokan@spray.se wrote:

Hello!
I'm trying to secure pdf-files from users that are not logged in on a
site.
What I have tried now is to make a .htaccess file in the directory
where the pdf's are with "deny from all" which stops everyone from
downloading them. Then in the member-area when a user wants to
download a pdf a php-script copies the pdf-file from the secured-
folder to a temp-folder and renames it to some random file-name that
the user can download. Then when the user are ready with the download
I want the temp-file to be deleted automaticly

Hi,

But how do you know when the user is finished downloading the pdf with the
random filename?

to prohibit other non-

members to find it? How can I do this?
Maybe someone have another totally different solution to secure files?
Regards
/Samuel

It might be easier to just place the files in a directory with 'deny from
all' in the .htaccess (as you already did), and read the file with PHP.
Then let PHP deliver its content to the browser.

Have a look at the filefunctions at php.net.
Here is the function file_get_conten ts():

http://nl2.php.net/manual/en/function.file-get-contents.php

(I have wondered why that function isn't named file_get_conten t() instead of
the plural form...)

If you let PHP deliver the PDF, make sure PHP sets the right header for the
mimetype (not text/html, but application/pdf)

In that way you can simply refuse the execute the downloadscript if the user
is not logged in.

Regards,
Erwin Moller

**nokan@spray.se** · Feb 16 '07, 01:05 PM

Re: Hide files from non-members

On 16 Feb, 13:00, Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

n...@spray.se wrote:

Hello!
I'm trying to secure pdf-files from users that are not logged in on a
site.
What I have tried now is to make a .htaccess file in the directory
where the pdf's are with "deny from all" which stops everyone from
downloading them. Then in the member-area when a user wants to
download a pdf a php-script copies the pdf-file from the secured-
folder to a temp-folder and renames it to some random file-name that
the user can download. Then when the user are ready with the download
I want the temp-file to be deleted automaticly

>
Hi,
>
But how do you know when the user is finished downloading the pdf with the
random filename?
>
to prohibit other non-
>

members to find it? How can I do this?
Maybe someone have another totally different solution to secure files?
Regards
/Samuel

>
It might be easier to just place the files in a directory with 'deny from
all' in the .htaccess (as you already did), and read the file with PHP.
Then let PHP deliver its content to the browser.
>
Have a look at the filefunctions at php.net.
Here is the function file_get_conten ts():http://nl2.php.net/manual/en/functio...t-contents.php
>
(I have wondered why that function isn't named file_get_conten t() instead of
the plural form...)
>
If you let PHP deliver the PDF, make sure PHP sets the right header for the
mimetype (not text/html, but application/pdf)
>
In that way you can simply refuse the execute the downloadscript if the user
is not logged in.
>
Regards,
Erwin Moller

Thank you for fast answer

I tried and it worked, i just did like this:

$str_pdf = file_get_conten ts("$pathtopdf" );
echo $str_pdf;

Is this right? How can I set the right header?
When I did this the pdf-file that I downloaded got the same name as
the php-file that the script is in, how can I rename it to something
else?

**Captain Paralytic** · Feb 16 '07, 01:15 PM

Re: Hide files from non-members

On 16 Feb, 12:52, n...@spray.se wrote:

On 16 Feb, 13:00, Erwin Moller
>
>
>
>
>
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

n...@spray.se wrote:

Hello!
I'm trying to secure pdf-files from users that are not logged in on a
site.
What I have tried now is to make a .htaccess file in the directory
where the pdf's are with "deny from all" which stops everyone from
downloading them. Then in the member-area when a user wants to
download a pdf a php-script copies the pdf-file from the secured-
folder to a temp-folder and renames it to some random file-name that
the user can download. Then when the user are ready with the download
I want the temp-file to be deleted automaticly

>

Hi,

>

But how do you know when the user is finished downloading the pdf with the
random filename?

>

to prohibit other non-

>

members to find it? How can I do this?
Maybe someone have another totally different solution to secure files?
Regards
/Samuel

>

It might be easier to just place the files in a directory with 'deny from
all' in the .htaccess (as you already did), and read the file with PHP.
Then let PHP deliver its content to the browser.

>

Have a look at the filefunctions at php.net.
Here is the function file_get_conten ts():http://nl2.php.net/manual/en/functio...t-contents.php

>

(I have wondered why that function isn't named file_get_conten t() instead of
the plural form...)

>

If you let PHP deliver the PDF, make sure PHP sets the right header for the
mimetype (not text/html, but application/pdf)

>

In that way you can simply refuse the execute the downloadscript if the user
is not logged in.

>

Regards,
Erwin Moller

>
Thank you for fast answer
>
I tried and it worked, i just did like this:
>
$str_pdf = file_get_conten ts("$pathtopdf" );
echo $str_pdf;
>
Is this right? How can I set the right header?
When I did this the pdf-file that I downloaded got the same name as
the php-file that the script is in, how can I rename it to something
else?- Hide quoted text -
>
- Show quoted text -

Look a tmy answer to you. I gave you a link to a page that told you
how to do it!

**Erwin Moller** · Feb 16 '07, 03:05 PM

Re: Hide files from non-members

Captain Paralytic wrote:

On 16 Feb, 12:52, n...@spray.se wrote:

>On 16 Feb, 13:00, Erwin Moller
>>
>>
>>
>>
>>
><since_humans_ read_this_I_am_ spammed_too_m.. .@spamyourself. comwrote:

n...@spray.se wrote:
Hello!
I'm trying to secure pdf-files from users that are not logged in on a
site.
What I have tried now is to make a .htaccess file in the directory
where the pdf's are with "deny from all" which stops everyone from
downloading them. Then in the member-area when a user wants to
download a pdf a php-script copies the pdf-file from the secured-
folder to a temp-folder and renames it to some random file-name that
the user can download. Then when the user are ready with the download
I want the temp-file to be deleted automaticly

>>

Hi,

>>

But how do you know when the user is finished downloading the pdf with
the random filename?

>>

to prohibit other non-

>>

members to find it? How can I do this?
Maybe someone have another totally different solution to secure
files? Regards
/Samuel

>>

It might be easier to just place the files in a directory with 'deny
from all' in the .htaccess (as you already did), and read the file with
PHP. Then let PHP deliver its content to the browser.

>>

Have a look at the filefunctions at php.net.
Here is the function
>

file_get_conten ts():http://nl2.php.net/manual/en/functio...t-contents.php

>>

(I have wondered why that function isn't named file_get_conten t()
instead of the plural form...)

>>

If you let PHP deliver the PDF, make sure PHP sets the right header for
the mimetype (not text/html, but application/pdf)

>>

In that way you can simply refuse the execute the downloadscript if the
user is not logged in.

>>

Regards,
Erwin Moller

>>
>Thank you for fast answer
>>
>I tried and it worked, i just did like this:
>>
>$str_pdf = file_get_conten ts("$pathtopdf" );
>echo $str_pdf;
>>
>Is this right? How can I set the right header?
>When I did this the pdf-file that I downloaded got the same name as
>the php-file that the script is in, how can I rename it to something
>else?- Hide quoted text -
>>
>- Show quoted text -

>
Look a tmy answer to you. I gave you a link to a page that told you
how to do it!

Yup. I second that.
I just scanned through it, and it looks like a good resource.
Of course it is: It is from O'Reilly. ;-)

Good luck/happy coding.

Regards,
Erwin Moller

**Arjen** · Feb 20 '07, 09:35 AM

Re: Hide files from non-members

>>- Show quoted text -

>Look a tmy answer to you. I gave you a link to a page that told you
>how to do it!

>
Yup. I second that.
I just scanned through it, and it looks like a good resource.
Of course it is: It is from O'Reilly. ;-)
>

Just because you can store images in a db doesn't make it a good idea.
Just use http://www.php.net/manual/en/function.readfile.php (check the
example in the comments)

--
Arjen
http://www.hondenpage.com - Mijn site over honden

**Captain Paralytic** · Feb 20 '07, 09:55 AM

Re: Hide files from non-members

On 20 Feb, 09:29, Arjen <d...@mail.mewr ote:

Just because you can store images in a db doesn't make it a good idea.

That is true, but it happens to be a good idea anyway!

**Arjen** · Feb 20 '07, 11:05 AM

Re: Hide files from non-members

Captain Paralytic schreef:

On 20 Feb, 09:29, Arjen <d...@mail.mewr ote:

>Just because you can store images in a db doesn't make it a good idea.

That is true, but it happens to be a good idea anyway!

Why .. in what situation would bad performance be a good idea ?

--
Arjen
http://www.hondenpage.com - Mijn site over honden

**Captain Paralytic** · Feb 20 '07, 11:35 AM

Re: Hide files from non-members

On 20 Feb, 10:56, Arjen <d...@mail.mewr ote:

Captain Paralytic schreef:
Why .. in what situation would bad performance be a good idea ?

You have evidence for the statement about bad performance?

Jerry Stuckle has provided lots of evidence for good performance and
ease of management of files/images in databases. I too have found that
the performance is excellent.

**Erwin Moller** · Feb 20 '07, 12:15 PM

Re: Hide files from non-members

Arjen wrote:

Captain Paralytic schreef:

>On 20 Feb, 09:29, Arjen <d...@mail.mewr ote:

>>Just because you can store images in a db doesn't make it a good idea.

>That is true, but it happens to be a good idea anyway!

>
Why .. in what situation would bad performance be a good idea ?

Never of course. Unless it gives some other benefit, like ease of migration.

But when you migrate having a database is a little less headache, because
you don't have to worry about the new path, permissions, etc.

(I also never store files (images, documents) in a database, but just the
reference/filename.)

Regards,
Erwin Moller

**Arjen** · Feb 20 '07, 02:25 PM

Re: Hide files from non-members

Captain Paralytic schreef:

On 20 Feb, 10:56, Arjen <d...@mail.mewr ote:

>Captain Paralytic schreef:
>Why .. in what situation would bad performance be a good idea ?

>
You have evidence for the statement about bad performance?
>
Jerry Stuckle has provided lots of evidence for good performance and
ease of management of files/images in databases. I too have found that
the performance is excellent.

Ill test it tomorrow. Right now im inserting 100k pics into a db :-)

--
Arjen
http://www.hondenpage.com - Mijn site over honden

**Arjen** · Feb 21 '07, 08:45 AM

Re: Hide files from non-members

Arjen schreef:

Captain Paralytic schreef:

>On 20 Feb, 10:56, Arjen <d...@mail.mewr ote:

>>Captain Paralytic schreef:
>>Why .. in what situation would bad performance be a good idea ?

>You have evidence for the statement about bad performance?
>>
>Jerry Stuckle has provided lots of evidence for good performance and
>ease of management of files/images in databases. I too have found that
>the performance is excellent.

>
Ill test it tomorrow. Right now im inserting 100k pics into a db :-)

I uploaded 10k (not 100k) pics to my db. On average a page with 100
generated images from a blob entry took 4 secs to load. 100 random
images (varchar 255) took 0.4 secs to load.

--
Arjen
http://www.hondenpage.com - Mijn site over honden

Hide files from non-members

Hide files from non-members

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment