0

Is there a way to stop users from typing in a url and gaining access to a file in a specific directory but still allow a PHP script to have access to the file to change it or download it?

In other words, I want to stop people from typing in: http://www.mysite.com/securefolder/file1.pdf. Maybe redirect them to a different page or something.

But I do not want to completely lock away the files because I still need to use a PHP script to download and modify the files.

Any help is appreciated, Thanks

Olokoo
  • 1,114
  • 3
  • 19
  • 34
  • Does the PHP script access the file over http or on the local disk? – Asaph Aug 06 '12 at 21:14
  • The PHP script accesses over http – Olokoo Aug 06 '12 at 21:15
  • Sorry, what exactly do you mean by over http or on the local disk? I think I misunderstood. – Olokoo Aug 06 '12 at 21:21
  • `"I still need to use a PHP script to download and modify the files."` - Is this PHP script being run on the same server? Is it another script of your application? Or is it another external API sort of script that needs access to certain files? – Lix Aug 06 '12 at 21:22
  • Yes the file is run on the same server. – Olokoo Aug 06 '12 at 21:23
  • Then this should not be a problem at all. In that script you just give the path to the file you want to download and it will be accessible to any internal script. If that script then decides to allow a download then it will still work. – Lix Aug 06 '12 at 21:24

5 Answers5

3

If all you want is a specific setting for a certain file a very simple rule will be all you need - 

RewriteEngine on
RewriteRule ^/securefolder/file1.pdf$ access_denied.php

What might be a better idea is to make a rule for the entire secured folder - 

RewriteEngine on
RewriteRule ^/securefolder/.*$ access_denied.php

One last (and probably best) way to do this is to create an additional .htaccess inside the secured folder and simply deny all access to it. Place this one line -

deny from all

In all of the solutions, we are only talking about external requests. All your scripts and internal paths to scripts, files, etc... will remain intact and unaffected by the rules you define within the .htaccess files.

Lix
  • 47,311
  • 12
  • 103
  • 131
  • This solution won't work because the OP indicates (in a comment on the question) that the PHP script must access the PDF remotely over http. – Asaph Aug 06 '12 at 21:18
  • @asa - [Perhaps not](http://stackoverflow.com/questions/11835970/stop-users-from-accessing-files-from-url-using-php#comment15738424_11835970) – Lix Aug 06 '12 at 21:25
2

Disable direct access to the file on the webserver, and serve the file from a PHP script (some hints on this manual page: http://www.php.net/manual/en/function.readfile.php). Webserver access restictions won't affect PHP, as it is directly accessing the filesystem. Here's a similar question: Secure files for download

If performance is critical, there is plugin for most of the webservers which will help you to serve the file directly (bypassing PHP):

Community
  • 1
  • 1
Karoly Horvath
  • 94,607
  • 11
  • 117
  • 176
  • +1, but according to the [secure_download github page](https://github.com/replay/ngx_http_secure_download), secure_download has been deprecated in favour of [secure_link](http://wiki.nginx.org/HttpSecureLinkModule) now, so you might want to update your answer. – El Yobo Jan 29 '13 at 05:09
1

The ideal approach will depend on whether the PHP script accesses the PDF file locally on disk, or remotely over http.

If the PHP script accesses the file locally on disk, simply place the file outside the root folder of the web site.

If the PHP script access the file remotely over http, here are some options:

  1. Limit access by origin IP

  2. Password protect the resource and serve over https

Asaph
  • 159,146
  • 25
  • 197
  • 199
1

If the files are on the same server, you don't need to download them in order to serve them. Simply read them from the filesystem and output them directly.

If, however, they're not, and you need a script to be able to download files, and others to be refused, you could password protect the directory.

To then download files using for instance cURL, you can specify the following options:

curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);

More information

Sebastian Paaske Tørholm
  • 49,493
  • 11
  • 100
  • 118
0

Place your data file outside of the public web space. Read the file using PHP and serve.

There is no reason for the source file to be located within the web host's DocumentRoot unless you want the file to be served publicly.

A PHP script runs as local user and so is able to read the file even outside the scope of Apache (or other) web server.

Nathan
  • 1,700
  • 12
  • 15