0

i am using PHP to connect to a MySQL Database and customers can login to my website and it lists rows form a table based on their login etc.

I need to be able to display a <a href="...."></a> link to a file name in the database but i don't want users to be able to see the link to the file.

for example, they can download file 1234.pdf and if they can view the actual link, they might think of going to the same location but doing file 5678.pdf which is only meant for another user to download.

so basically i want to hide the link in a long string or something but i'm not sure where to start - any ideas?

Thanks

EDIT:

lets say Customer A logs in, they can view rows from table1

TABLE1 customer file_link A 1234.pdf A 5678.pdf B 8765.pdf B 4321.pdf

so, i dont want customer A to be able to view the links for customer B.

i mean, if customer A hovers over a link and can see the main file path they can type this in their web browser and then change the file name (guess it) to something else and download another customers file(s)

  • Not uber clear, what do you mean by `they might think of going to the same location but doing file 5678.pdf which is only meant for another user to download`? – cheesemacfly Apr 08 '13 at 21:00
  • means that they might cheat and try out other file names... – Ejaz Apr 08 '13 at 21:02
  • The correct way to handle that is to have another mechanism in place that prevents users from accessing each other's files - merely obscuring their location is a poor solution, for [a variety of reasons](http://en.wikipedia.org/wiki/Security_through_obscurity). – Dan J Apr 08 '13 at 21:03

2 Answers2

1

if you're planning on not letting others see the file links then you probably wouldn't want search engines to see them as well. A typical way of forbidding users from trying out such stuff is to have a specific page that flushes the file instead of linking directly to the file. E.g., 

<a href="download.php?fileid=123">Download</a>

then in download.php you could check user permissions and make the browser download the file.

Community
  • 1
  • 1
Ejaz
  • 8,719
  • 3
  • 34
  • 49
  • have tried this, the output of the SQL is: $sql="SELECT * from table1 where customer_sequence = '53' and invoice_number = '1234' and sequence = '7523482'"; $filePath = '../admin/billing/invoices/1234.pdf'; header("Location:".$filePath.""); the criteria in the SQL matches the database but its not downloading –  Apr 08 '13 at 21:48
  • http://stackoverflow.com/questions/7263923/how-to-force-file-download-with-php did you visit this page? Try adding `exit()` after your `header(...)` if you like to stick to redirecting user. – Ejaz Apr 08 '13 at 21:59
  • yhh but still cant seem to get it to download –  Apr 08 '13 at 23:03
0
<?php 
    $file = 'file1234.pdf';
    $file_url = 'http://www.test.com/files/' . $file;
    header('Content-Type: application/octet-stream');
    header('Content-Transfer-Encoding: Binary'); 
    header('Content-disposition: attachment; filename="' . $file_url . '"'); 
    readfile($file_url);
    die();
?>

I think this is what you'll need.

Ben Poulson
  • 3,368
  • 2
  • 17
  • 26