5

I am trying to restrict direct access to files in a directory. So for example i have website.com/files/example.flv.

So if users go straight to the file in the URL, i want them to be redirected to the home page.

I have tried the following using htaccess

deny from all

but its not working great. Is there a way i could do this using php, then in the user goes straight to the file in the url, they will get redirected.

So if the user goes to the file link in the url, they will be sent to the home page. So can this only be done using htaccess

Daniel Lematy
  • 157
  • 1
  • 3
  • 13
  • Create an index.php in your folder. Apache execute the index.php in you folder. In your index.php you could redirect to another page with the header() function – demonking Oct 28 '13 at 21:33
  • This is extremely insecure, since the files themselves would still be accessible. – Klaus S. Oct 28 '13 at 21:36

2 Answers2

9

If you want to restrict access to files, you should consider storing them outside the public DocumentRoot and using PHP to deliver the file, applying your own access logic. This means outside the www or public_html folders, depending on the hosting environment you are working with. 

<?php

// Suppose your "public_html" folder is .
$file = './../data/test.gif';
$userCanDownloadThisFile = false; // apply your logic here

if (file_exists($file) && $userCanDownloadThisFile) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename=filename.gif');
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
}
Klaus S.
  • 1,239
  • 10
  • 18
6

Yes. You'd have to place the files in a directory that's not accessible through the web. Then, you'd have to create a .htaccess file in your public_html/files/ folder, which points to your php script.

Something like this (note: code not tested):

Structure:

  • root/
    • realfiles/
    • public_html/
      • files/
        • .htaccess
      • filehandler.php

.htaccess:

RewriteEngine on
RewriteRule ^/files/(.+)$ filehandler.php?stuff=$1 [QSA]

filehandler.php:

header('Location: /');

Of course you'd want the files to be accessible when you want them to access them. This can be done in filehandler.php, by checking if the user is allowed to view the file, and then returning something like:

header('Content-type: application/octet-stream');
header('Content-Disposition: inline; filename="'.basename(urlencode($file['name'])).'"');
readfile($dir.basename($file['filename']));
exit;
sgtdck
  • 1,008
  • 7
  • 15
  • You want to be careful with this if the files are very big as you'll likely run out of memory rather quickly. – ahwm Oct 28 '13 at 21:42
  • Thanks, but how would you get the file name if it is outside the directory? – Daniel Lematy Oct 28 '13 at 22:14
  • @DanielLematy I've updated the answer (see the .htaccess, ?stuff=$1). $_GET['stuff'] now contains the filename / request. – sgtdck Oct 28 '13 at 22:25