0

Hi All;

I have a MySql database set up called users. The only things required to register to my website are a username and password. When this is completed, the database populates with the users info as requested. How does MySql make this new users permissions to have it where they can now download files from my website? As of now anyone can download and take my sites files without logging in. How do I stop that also?
Thanks in advance for any help.

Regards
Wngmark

4
Contributors
3
Replies
4
Views
6 Years
Discussion Span
Last Post by Ezzaral
0

Hi All;

I have a MySql database set up called users. The only things required to register to my website are a username and password. When this is completed, the database populates with the users info as requested. How does MySql make this new users permissions to have it where they can now download files from my website? As of now anyone can download and take my sites files without logging in. How do I stop that also?
Thanks in advance for any help.

Regards
Wngmark

I'm assuming that you will be using PHP, as that is the language I will write my examples in.

I am also assuming that you have some sort of field in MySQL named "banned" or "admin", as well, I am assuming you are using cookies to tell if the user is logged in.

And... I'm assuming that you have something like "VIP" files where you have to be logged in to access them.

A code block like so should help:
Keep in mind, I am not a 100% pro at SQL myself, so my code may not be best for anything past personal or a small user base (less than 100 or so).

<?php
$linkToFile = ""; //Just to get us started
$q = mysql_query("SELECT * FROM users WHERE username='".$_COOKIE['username']."' AND banned='0' OR admin='1'"); //Does a query, are they banned or not
//Query also checks to see if the account is an admin, if they are, grant them access regardless
$rows = mysql_num_rows($q); //Returns 0 if they are banned. 1 (or more) if they are good to go AND/OR an admin
if($rows >= 1){
	//They are not banned / they are an admin
	if(isset($_COOKIE['username'])){ //Checks if they are logged in
		//They are
		$linkToFile = "<a href='file.ext'>Download</a>";
	}else{
		//They arn't
		$linkToFile = "Please Login First!";
	}
}else{
	//banned and not an admin
	$linkToFile = "Sorry! You are banned.";
}
echo $linkToFile; //Print out the link
?>
0

To prevent illicit downloads you have to protect your files on the server level. Otherwise any wisecrack who can guess how a link looks like will be able to download. Tur2tlive's solution is dangerous because it makes you believe that your data are safe while they are definitely not.
To stop foreigners from downloading you have to include a

Order Deny,Allow 
Deny from All

into your server's configuration (either the apache .conf files or the local .htaccess). Look up the documentation for those apache statement. Then you will have to write your own download script which first checks if a user has the required permissions and then serves the file in chunks (don't forget to send the mime headers for the file type). Use PHP sessions for the user's login status.

Edited by smantscheff: n/a

0

Thread closed. This question is a copy-paste job from Yahoo Answers posted here by a lame spammer just to push links.

Perhaps someone else can still benefit from the answers given above, so I will leave the thread here.

Edited by Ezzaral: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.