Hey everyone, I don't even know where to begin with this. I need to limit folder access to only those members who are allowed to access them. For example, I'm creating a folder /5/ within a folder called /orderreports/ for the order id 5. I need to check which user in my database has access to that folder (I know how to do that much..), but then I need to limit all of the folders in /orderreports/ so that they can only be accessed by those who area allowed. Any ideas on where to start?


Set up a password protected directory with your web host/on your server.

There's no point explaining it all here, googe "apache(or IIS) password protected directory". Or click here:


You'll notice the first link to the official apache documentation page here:

- http://httpd.apache.org/docs/2.0/howto/auth.html

Or there is a more friendly how-to guide here:


- http://httpd.apache.org/docs/2.0/howto/auth.html

Just make sure you follow the instructions carefully and it should be straightforward!

All the best :)

Beginning of your page you can see if the user has the correct access level.
If they do: Let them stay and load the page.
If they don't: Redirect them to whichever page you'd like.

Below is just pseudo-code, but you should get the idea:

 if ($userAuth < 1)

userAuth could be a variable that you filled with the value from a query against the database that determined their access level on that page.

Hope this helped!


Wouldn't that still allow access to directories via uri? For example if the "sensitive" file was located at example.com/files/abc.doc what's to stop someone (or a bot) finding that file by going to example.com/files/abc.doc, thus bypassing any php pages that would link to it if logged in?


If you don't want to go down the "secured directories" route, you could get PHP to build/serve docx/png files from secured database content. EG storing the content of the doc in a db and building the file as neccessary when requested. You could store images in a long blob field, this might be the best solution to your problem :)

You could even get PHP to generate those files on-the-fly once a user is authorised.

@jeeter19 that doesn't help at all. I want to protect the files, not the directory.

@Rade Mind explaining that a bit better? I'm not quite sure where you're going.

Edit: Well, I know where you're going.. but I'm not sure how to execute that.

You can store (relatively small) files such as documents in a mysql database in a "BLOB" (binary long object) field and then query them as easily as a normal string. It's actually easier than it may seem at first, believe me ;)

Here is a brilliant tutorial:


Once done, you can simply do

if (user logged in)
sql to serve file...;
echo "You do not have permission to view this file";

It shouldn't take you long to get it up and running but if there are any problems do report back.Watch out on the last page though - you probably don't want to delete the files after serving them!

Let us know how it goes or if there's anything else :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.