I have a php login system that uses SQL to store users and passwords but users can still download .mp3 files or even pictures (jpeg, gif, etc). Is there anyways I can protect my web directories and files using .htaccess without that popup asking for user and password but using the php login system that I have.

I have a php login system that uses SQL to store users and passwords but users can still download .mp3 files or even pictures (jpeg, gif, etc). Is there anyways I can protect my web directories and files using .htaccess without that popup asking for user and password but using the php login system that I have.

Hi,

What you can do is put the files you want to protect under the web directory, so that it cannot be acccessed from the web, or if you prefer .htaccess, just limit access to that folder from the web (same thing really).

Lets say your web directory is something like say: /home/public_html/
You can put your file in /home/files/. That way those files cannot be accessed from the web (HTTP) but you can still access those files from PHP using the directory functions or stream functions.
Or if you used .htaccess to prevent users from accessing the files over the web, you can still access the files from php just the same.

What you have to do is create a php page that checks if the user is logged in. If they are then allow them to download the file they asked for by using the stream functions built into php (http://us2.php.net/manual/en/ref.stream.php) to get the file and echo it to the browser.
You will also need to send the right headers to let the browser know that this is a download, instead of a regular webpage.


Example:

$filename = $_GET['filename'];
$dir = '/home/files/';

if ( user_logged_in() )  {
    download_file( $filename, $dir ); // send file to logged in user
} else {
    header("HTTP/1.1 404 Not Found"); // dead end
}


/**
* Forces a file download by sending the Content-Type: application/force-download HTTP header to the client
* @param string filename
* @param string filebase directory including trailing slash
* @param int size stream buffer
* @auth download_file.func@fijiwebdesign.com | http://www.fijiwebdesign.com/
*/
function download_file( $fname, $path, $buffer = 2000 ) {

	$fpath = $path.$fname; // absolute path to file
	$fsize = filesize( $fpath ); // size of file

	// send the headers forcing the file download
	header("HTTP/1.1 200 OK");
	header("Content-Length: $fsize");
	header("Content-Type: application/force-download");
	header("Content-Disposition: attachment; filename=$fname");
	header("Content-Transfer-Encoding: binary");
	
	// open a file stream and read file contents in binary mode (r = read, b = binary)
	if($fh = @fopen($fpath, "rb")){
	   while( ($buf = fread($fh, $buffer)) !== false) {
		   echo $buf; // echo the file contents to the browser in chunks
		}
	   fclose($fh);
	} else {
	   header("HTTP/1.1 404 Not Found");
	}

}

Note: user_logged_in() should check if the user is logged in. It isnt a real function.

Hope that helps..

This article has been dead for over six months. Start a new discussion instead.