Files downloadable by members only

Re: Files downloadable by members only

Boniface Frederic wrote:[color=blue]
> Hello,
>
> I want to set some files downloadable only by members with login and
> password.
>
> I use session to protect my .html and .php files, but I would like to
> know how to protect .zip files.
> The .zip files are in a folder protected with a .htaccess file with
> the members data as password file.
> When a member is already connected and click on a download link, a
> connect dialog box ask the member to fill again his login and
> password (of course to get in the protected folder).
>
> I would like to know if there is a way to avoid this dialog box, or
> if i should use something else to protect the files.[/color]

Put your files in a directory, where they can't be accessed directly, either
outside the webroot or in a password-protected folder.
Then access the files via eg getfile.php?nam e=some.file
getfile.php checks the authorisation, and if ok, sets the proper
mime-headers fopens /protected/some.file, and emits it using fpassthru()

Leif

Re: Files downloadable by members only

Thank you Leif for the fast and accurate response.
Here is the getfile.php code if someone is interested.

Fred.

// getfile.php :
<?php
session_start() ;
if(empty($_SESS ION['login']))
{
// not a member
die('Member access only');
}
else
{
//---- check file
if (is_file($file) )
{
// ----- Open the file
$fp = fopen($file, "r");
// ----- Content Type
header("Content-Type: application/download\n");
header("Content-Disposition: attachment; filename=".$fil e);
//Download
fpassthru($fp);
}
else
print('File '.$file.' not found');
}
?>

Re: Files downloadable by members only

"Boniface Frederic" <boniface.frede ric@free.fr> wrote in message news:<40ced68e$ 0$27546$626a14c e@news.free.fr> ...[color=blue]
> Thank you Leif for the fast and accurate response.
> Here is the getfile.php code if someone is interested.
> // getfile.php :
> <?php
> session_start() ;
> if(empty($_SESS ION['login']))
> {
> // not a member
> die('Member access only');
> }
> else
> {
> //---- check file
> if (is_file($file) )
> {[/color]

So... here $file is $_GET['file']? So, you allow any filename
(file path) to be sent via the query string? Don't you see any
security threat?

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com

Re: Files downloadable by members only

"Boniface Frederic" <boniface.frede ric@free.fr> wrote in message
news:40ced68e$0 $27546$626a14ce @news.free.fr.. .[color=blue]
> Thank you Leif for the fast and accurate response.
> Here is the getfile.php code if someone is interested.
>
> Fred.
>
> // getfile.php :
> <?php
> session_start() ;
> if(empty($_SESS ION['login']))
> {
> // not a member
> die('Member access only');
> }
> else
> {
> //---- check file
> if (is_file($file) )
> {
> // ----- Open the file
> $fp = fopen($file, "r");
> // ----- Content Type
> header("Content-Type: application/download\n");
> header("Content-Disposition: attachment; filename=".$fil e);
> //Download
> fpassthru($fp);
> }
> else
> print('File '.$file.' not found');
> }
> ?>[/color]

Don't forget to call session_write_c lose() before calling fpassthru (or
readfile). Otherwise the visitor would be unable to browse the site while
the file is downloading.