I have a project that my client upload a lot of files to a folder on the server. That files can be downloaded using a link on his administrator page on the system (in PHP).
How can I disable the direct access to this files (in browser address)?
Asked
Active
Viewed 621 times
1
-
This question comes up often. Try some of these and also a search of the site. http://stackoverflow.com/questions/3990337/how-to-protect-against-direct-access-to-images OR http://stackoverflow.com/questions/409496/prevent-direct-access-to-a-php-include-file – csi Apr 07 '11 at 22:46
1 Answers
7
Put the upload directory somewhere outside of the web root. For example, if Apache (or whatever web server you are using) is configured with a web root of /var/www, but the uploaded files into e.g. /var/uploads, which guarantees that no one can every directly download them (at least via your web server).
Then use a PHP script as a stand-in proxy that first checks that the user is authenticated and authorized, then uses e.g. the passthru() function (after setting appropriate headers, of course) to let the user download the file.
Kromey
- 1,202
- 1
- 10
- 13