7

I am having a personal portfolio website and i have a some pdf files like

<a href="file.pdf">Some file</a>

I dont want everyone to download the file, and i want it to protect it with password,so that i can share it with only the people i know

where only the person who gives the correct password is able to download my file

Note: 1. since its a personal portfolio website it do not have any "LOGIN's"
2. I have designed the webpage with HTML as a responsive code

Your suggestions please, any way of doing it without .htaccess ??

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
D3vil_Mind
  • 339
  • 2
  • 3
  • 13

4 Answers4

7

You need to use a php file to feed the file through where the pdf files are stored in a NON PUBLIC folder.

For example, put your pdfs in a non public accessible directory, let's say: /home/pdfs/

And your PHP script in a public accessble directory, let's say: /home/public_html/

Inside the script in the public directory put:

if (isset($_GET('password')) {
die('wrong password');
}

if ($_GET['password'] != 'mypass') {
die('wrong password');
}

$file="/home/pdfs/test.pdf";
header("Pragma: public");
header('Content-disposition: attachment; filename='.$file);
header("Content-type: ".mime_content_type($file));
header('Content-Transfer-Encoding: binary');
ob_clean();
flush();
readfile($file);

Use GET values to determine the file to download, but to ensure better security only allow .pdf extensions, strip all other periods and slashes to prevent them from traversing the directories of your server and being given important security files containing passwords etc!!! To be even safer still only name your pdf files using characters a-z 0-9 and - or _

And then when you wish to download a file craft the correct URL to the script above, and ensure the pdf file exists in the non public directory.

HenchHacker
  • 1,616
  • 1
  • 10
  • 16
  • You're missing half the solution here. How do you use the binary data to create a pdf on the client side? and then have them download it? – Python Cheese Apr 10 '17 at 07:02
3

Use MySQL or MySQLite - depending on your preference - and store the link to the PDF in the database. Then use a script such as download.php. Store a password for the file in the database and require the user to enter it before the file is downloaded. If you're unfamiliar with databases you COULD do it all in PHP.

A VERY rough mockup (Without a database, if you are familiar with dbs, adjust accordingly)

HTML Form

<form name="download" id="download" method="post" action="download.php">
  <input type="password" id="password" name="password" />
  <input type="submit" id="submit" value="Download" />
</form>

PHP (download.php)

<?php
     // Get the password
          $pw = md5($_POST['password']);

     // Compare against the stored password
          $valid_pw = md5("your password you want to use");

          if($pw != $valid_pw){
               echo "Error! You do not have access to this file";
          }else{
               header("Location: /path/to/your/file.pdf");
          }
?>

NOTES:

I used an extremely basic method of encrypting the password. I would research better methods if this was my application but for the sake of brevity and ease of understanding, I used a simple md5() hash comparison.

Timo Tijhof
  • 10,032
  • 6
  • 34
  • 48
rws907
  • 787
  • 4
  • 14
  • 25
  • 6
    thats some very weak protection as anyone who knows the path to the file will still have access. – HenchHacker Oct 30 '12 at 19:55
  • 2
    As I said above, "very rough" mockup without a database. I'm not going to waste my time coding something the OP may not understand. Instead I gave him a simple solution that he can expand on. – rws907 Oct 30 '12 at 20:00
  • could you add the security for the links also ? so people can´t share links ? – Francisco Corrales Morales Jan 29 '15 at 16:39
  • Yes... you could have a column in your database -- such as `is_viewed` that identifies whether or not the link has been visited. I've done this in the past. My download script would query the database to see if the value of `is_viewed` true or false (1 or 0). If it's true (1) then the user attempting to download the file would be redirected to an error page stating the link is no longer valid. If the value is false (0) the download is allowed to occur and the field is then changed to true (1). Hope that helps. – rws907 Jan 30 '15 at 19:05
  • 1
    Why would you even bother using `md5` function to hash the two password strings before comparing? You could just compare the original strings, it's no different. – ADTC Mar 08 '18 at 18:03
  • @ADTC Storing hashed passwords is a basic security precuation. It means that the serving system doesn't store user passwords in plaintext, so that if the system were to be compromised, users' credentials are still somewhat protected. – Edward Gargan Sep 10 '18 at 18:27
  • @EdwardGargan generally that is true. However, I was talking about the specific code in the answer: `md5("your password you want to use")` ... shouldn't this just be `"6373b383da1b7fae9133adb40cc37200"` (the actual md5 hash of `your password you want to use`)? (Yes I do understand it's an example, but the example is misleading. Perhaps, it's better written with the example hash and it be pointed out in a comment that the hash should be that of the valid password.) – ADTC Sep 17 '18 at 08:33
3

Follow @rsmith84's tips but make sure you block folder access:

Apache .htaccess file

Deny from all

IIS web.config file

<system.webServer>
    <security>
        <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Allow" roles="Administrators" />
        </authorization>
    </security>
</system.webServer>

Thenh allow delivery only with a PHP file. Verify user and then do readfile('/protectd/file/path') from your protected folder.

CodeAngry
  • 12,760
  • 3
  • 50
  • 57
2

Create a php file say, download.php and link to that file instead.
You can check for correct password there, and if it's correct, you can write the contents of the PDF file to the response.

Omid Kamangar
  • 5,768
  • 9
  • 40
  • 69