Hi i have a problem with making a safe upload folder in a project.
The thing is that we have a file upload that everyone should be able to upload files to, but only the site administrator the site should be able to view the files later.
Is it possible making a folder non readable, but accessible from a php page?
The server is a linux inviroment
The simple answer to this is to place the files in a directory outside your web root, and built a page to view the directory that requires an administrator auth to access.
If the files are outside your web root, they cannot be directly accessed with a /path/to/file.ext type URL.
There's actually several ways to do this.
Apache configuration (you may restrict access to certain directory by IP security, or HTTP authorization), see: allow,deny and apache authentification
Save files to directory which is not accessible via website and write your own php directory listing and file download, via readfile
Upload file to directory which will be accessible only via "secret" ftp/sftp.
In cases like this, I would locate the folder outside the document root, or restrict it's access via Apache directives.
Then, using the PHP and checking access credentials, output the file using readfile()
Here is an example from the manual
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
?>
