security for pdf and xls files

Easy enough BUT

Having to provide credentials every time a link is clicked can be frustrating - why not just have a login system, which has 'permissions' for different users. That way only certain users will ever see the links.

if($pdfPermission)
{
    //show link    
}

@diafol:
please elaborate code as well as I did not get ur thoughts clearly
sorry for that
:(

@diafol:
sorry..
Now,I got what u want to say!!!
Yaah, its noce thought, but In my system I dont have such seperated users, its on common view so I want to put credentials for such users to download/open it.

credentials(name:pmp and password:123) are same for all those users!!
I think now you will get my bad!

can we provide credentials for link in php?
In short it will be same as above.
If they click on link they have to type the name and password.

Like I suggest, you'd be better off with a login link/form rather than a credentials prompt on every pdf/xls link, but it can be done.
For example...

<a href="credentials.php?id=6357">mybogpdf.pdf</a>

This would be created by php via the following code from your DB - I'm assuming that your files are listed in a DB with something like the following...

• file_id (PK,int)
• filetype_id (FK,tinyint) - related to filetypes table, e.g. 1=pdf, 2=xls...
• filename (varchar, 30)
• filedescription (varchar, 100)
• permission_id (FK, tinyint, 3) - related to permissions table e.g. 1 = public, 2 = level 2 (e.g. 'user2' - pmp), 3 = level 3 (e.g. 'user3' - admin)

• category_id (FK, int) - related to the file categories table

  SELECT f.file_id, f.filename, f.filedescription, t.file_icon, t.filetype_label p.permission_icon, c.category_label, IF(p.login IS NULL,0,1) AS req FROM files as f
  INNER JOIN categories AS c
  ON f.category_id = c.category_id
  INNER JOIN filetypes AS t
  ON f.filetype_id = t.filetype_id
  INNER JOIN permissions AS p
  ON f.permission_id = p.permission_id
  WHERE f.category_id = 3
  ORDER BY f.filename, f.filetype_id

This should give you the ability to list files in a html table (if that's what you need), along with a nice PDF or XLS icon and an userlevel (permissions) icon, such as a 'locked image' for admins.

You don't need individual users for that, just set up a couple of global users in your permissions table, such as...

permission_id (PK, tinyint)
login (varchar, 10?)
password (varchar, 32) - should be hashed - the length will depend upon the hash method
permission_icon (varchar, 30) - location of icon
permission_label (varchar, 10)

e.g.

1 | null  | null | icons/open.gif | Open
2 | pmp   | a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3 | icons/locked.gif | Staff
3 | admin | b3a8e0e1f9ab1bfe3a36f231f676f78bb30a519d2b21e6c530c0eee8ebb4a5d0 | icons/superman.gif | Admin

So, for the loop - I'll use mysql here for clarity, but consider using mysqli or PDO...

$list = "<table><thead><tr><th>File</th><th>Description</th><th>Level</th></tr></thead><tbody>";
while($d = mysql_fetch_assoc($result))
{
    $list .= "<tr><td><a href='credentials.php?id={$d['file_id']}'><img src='{$d['file_icon']}' alt='{$d['filetype_label']}' title='{$d['filetype_label']}' /> '{$d['filename']}'</a></td><td>{$d['filedescription']}</td><td><img src='{$d['permission_icon']}' alt='{$d['permission_label']}' title='{$d['permission_label']}' /></td></tr>";
}
$list .= "</tbody></table>";

//later on...

echo $list;

That's for the display. Note that everything does through the credentials.php file...
If the id of the file passed when checked in the DB is level 2 or above, display the login form and have the id of the file required tagged to it as a hidden field.
This form can then be passed to a handler that will check the credentials against the 'permissions table'. If passed, redirect to download, otherwiseclear the form and allow the user to try again.
If the id of the file passed is level 1, then simply redirect to the file for download.

That's a lot to take in maybe, and there are certainly many ways to do this. This is not necessarily the best or the easiest. I'm typing off the top of my head, so none of this is tested.

Have a think, come back.

Thanks for such solution diafol!!
I did like simple gave .htaccess to that pdf link

So stupid I was!
I did not remember this.

But I have another doubt now..
Can I give htaccess to folder??

If it is possible then this should be another stupid question.. sorry!

Yes you can protect access to folders from htaccess to prevent direct download.

Better give the folders random names like 278398738sfwsae9, it is common to use session_ids.

That way if the person knows the like to the folder they can access the contents and others cannot. Simples.

Hello diafol,
Please tel me how to do this?

I need help for folder security.

You may be better off with iamthwee's suggestion of session id protection. It's basically creating a stub file. There's some info here...
http://stackoverflow.com/a/5377241

This can be modified with the credentials challenge (login to give the $user_has_permission_to_download). However, this means that your files may need to go into different folders... Open into one, Restricted into another, unless you have a naming procedure like open_myfile.pdf and restricted_bossfile.xls. In which case you may be able to selectively enable blocks - but that's starting to give me a nosebleed :)

You may be better off with iamthwee's suggestion of session id protection. It's basically creating a stub file. There's some info here...
http://stackoverflow.com/a/5377241

This can be modified with the credentials challenge (login to give the $user_has_permission_to_download). However, this means that your files may need to go into different folders... Open into one, Restricted into another, unless you have a naming convention like open_myfile.pdf and restricted_bossfile.xls. In which case you may be able to selectively enable blocks - but that's starting to give me a nosebleed :)