I'm working on a high security system which is being developed in PHP. There are some files that are uploaded by the user and get uploaded to a directory. How can I make it so that you can't just go to the url of the file and it downloads? However I still need to be able to download the file from an administration section of the site.
Thanks
Placed the files outside of the web directory. Then used this to download: how to access file from outside root directory in php
There are several ways to do this, one is to hite the directory of uploaded files by .htaccess file, which contains simply:
order deny,allow
deny from all
Afterwards, when you want to dwonlaod the file (assuming that you have the file paths saved somewhere in a database or you could alternativelly pass them in some form in a GEt parameter), you can download them using a code similar to this (and example based on the PHP documentation):
// check user credentials
check_if_logged_in();
// get path to file
$file = get_your_file_path();
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;
}
