Hey everyone, I don't even know where to begin with this. I need to limit folder access to only those members who are allowed to access them. For example, I'm creating a folder /5/ within a folder called /orderreports/ for the order id 5. I need to check which user in my database has access to that folder (I know how to do that much..), but then I need to limit all of the folders in /orderreports/ so that they can only be accessed by those who area allowed. Any ideas on where to start?

Hey,

Set up a password protected directory with your web host/on your server.

There's no point explaining it all here, googe "apache(or IIS) password protected directory". Or click here:

http://www.google.co.uk/search?q=apache+password+protect+directory&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

You'll notice the first link to the official apache documentation page here:

- http://httpd.apache.org/docs/2.0/howto/auth.html

Or there is a more friendly how-to guide here:

http://www.thesitewizard.com/apache/password-protect-directory.shtml

- http://httpd.apache.org/docs/2.0/howto/auth.html

Just make sure you follow the instructions carefully and it should be straightforward!

All the best :)

Beginning of your page you can see if the user has the correct access level.
If they do: Let them stay and load the page.
If they don't: Redirect them to whichever page you'd like.

Below is just pseudo-code, but you should get the idea:

<?php
 if ($userAuth < 1)
    header('index.php');
?>

userAuth could be a variable that you filled with the value from a query against the database that determined their access level on that page.

Hope this helped!

@jeeter19

Wouldn't that still allow access to directories via uri? For example if the "sensitive" file was located at example.com/files/abc.doc what's to stop someone (or a bot) finding that file by going to example.com/files/abc.doc, thus bypassing any php pages that would link to it if logged in?

@poster

If you don't want to go down the "secured directories" route, you could get PHP to build/serve docx/png files from secured database content. EG storing the content of the doc in a db and building the file as neccessary when requested. You could store images in a long blob field, this might be the best solution to your problem :)

You could even get PHP to generate those files on-the-fly once a user is authorised.

@jeeter19 that doesn't help at all. I want to protect the files, not the directory.

@Rade Mind explaining that a bit better? I'm not quite sure where you're going.

Edit: Well, I know where you're going.. but I'm not sure how to execute that.

You can store (relatively small) files such as documents in a mysql database in a "BLOB" (binary long object) field and then query them as easily as a normal string. It's actually easier than it may seem at first, believe me ;)

Here is a brilliant tutorial:

http://php.about.com/od/phpbasics/ss/mysql_files.htm

Once done, you can simply do

if (user logged in)
{
sql to serve file...;
}
else
{
echo "You do not have permission to view this file";
}

It shouldn't take you long to get it up and running but if there are any problems do report back.Watch out on the last page though - you probably don't want to delete the files after serving them!

Let us know how it goes or if there's anything else :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.