Restrict access to files in PHP

DJ_Dance · 10-17-2005, 07:50 AM

Hi,

just wondering how one would allow users to download a file only after they have authenticated through a login page using PHP.

For example:
Say I have a file file.exe which only those with a password and username can have access to; and this file is located at http://www.mysite.com/progs/file.exe. So members login to the page via their username and password and then a page appears with a link to the file. After hitting the link, they get the file.
I already know how to do all of the above in PHP, however the problem arises when someone enters the following in their browser; http://www.mysite.com/progs/file.exe and they get access to the file without having to go through the login page first.

Anyone have a solution or work-around to this problem.

**Resolution** · 10-17-2005, 08:31 AM

If you are using Apache, it would probably be better to use .htpasswd. You could protect your entire web folder or individual files.

DJ_Dance · 10-19-2005, 08:25 AM

Resolution,

first and foremost thanks for the quick response.

I got the webpage up and running using the .htaccess files. I always wondered how websites used this particular type of authentication; I guess now I know.

It's very effective, but I actual had some trouble setting it up. The main (and really only) problem with using .htaccess file was the fact that you needed to know the full pathname of the .htpasswd (or file which contains the encrypted passwords). Since I'm not actually hosting the website on my machine, getting the full pathname of the page on the server hosting the website was the difficult part. Is there a way to actually get around this problem. This is the only issue I have about using .htaccess file; other than this, they're perfect. I tried playing around with how you specify the path in the file (including using the relative path to the file), but it only seems to like the full pathnames.

E-Liam · 10-19-2005, 12:39 PM

Hi DJ,

use this little script.. Servercheck.cgi.

Upload to your cgi-bin and then just go to www.yourdomain.com/cgi-bin/servercheck.cgi

That will tell you all you need to know about paths to your server, including sendmail etc.

Cheers

Liam

DJ_Dance · 10-19-2005, 06:59 PM

E-Liam,

Thanks for the link. I was actually trying something similar by writing a PHP script which did this. I soon realized that my ISP's servers don't support cgi scripts and this is where the website is being hosted. Maybe the only solution might be to pay for web hosting, where my site would be hosted on decent servers where you won't be so restricted.

It would still be really good if there was a way to get around what seems to be a really minor issue, but I can't image how you would actually go about it other than accessing the machine where the website is hosted.

On another note in regards to .htaccess files:
Is there a way to limit the number of retries the user gets when they enter in an incorrect password. On most sites which use .htaccess files, you only get like 3 tries before your redirected to another page warning you that your username/password was incorrect. By default, whenever I enter an incorrect password the authentication box just keep re-appearing until I hit cancel. It would be better if you could actually tell the user explicitly that they're entering in an incorrect password or username, since the current behaviour is also similar to when the .htaccess file can't find the .htpasswd file to authenticate the user. Therefore, it appears as if your .htaccess file is broken, rather than the username and password entered being incorrect.

jaysupport · 05-22-2009, 11:08 AM

After couple of hours of reading on .htaccess for apache in windows - I finally figured out - You need to set the open_basedir directive in your php.ini file to restrict access to file system beyond the web folder. Considering it took my good amount of searching I added couple of articles on PHP security that applies for windows here:

http://oviya.me

julian213 · 07-31-2009, 09:04 AM

Hello,

I've read in another forum that a solution to this problem is to stor the files in a directory above the www directory. Therefore the users browser is unable to get to the page, but the PHP scripts can be pointed to it.

Is this a suitable solution and what are the drawbacks of using this method?
How would using .htaccess compare?

Thanks

FredT · 08-03-2009, 06:27 PM

How much PHP do you know? If you are just wondering how you can protect a PDF or MP3 file or something, you can have the server parse PHP in specific filetypes, but it requires access to the .htaccess file again. Can you do that or not?

Do you need someone to write the PHP for you or are you set with that?

10-17-2005, 07:50 AM	#1 (permalink)
DJ_Dance Registered User Join Date: Jul 2005 Posts: 24 OS: Windows XP	Restrict access to files in PHP Hi, just wondering how one would allow users to download a file only after they have authenticated through a login page using PHP. For example: Say I have a file file.exe which only those with a password and username can have access to; and this file is located at http://www.mysite.com/progs/file.exe. So members login to the page via their username and password and then a page appears with a link to the file. After hitting the link, they get the file. I already know how to do all of the above in PHP, however the problem arises when someone enters the following in their browser; http://www.mysite.com/progs/file.exe and they get access to the file without having to go through the login page first. Anyone have a solution or work-around to this problem.

10-19-2005, 12:39 PM	#4 (permalink)
E-Liam Manager, On the Web Join Date: Jan 2004 Location: Bracknell, UK Posts: 929 OS: XP	Hi DJ, use this little script.. Servercheck.cgi. Upload to your cgi-bin and then just go to www.yourdomain.com/cgi-bin/servercheck.cgi That will tell you all you need to know about paths to your server, including sendmail etc. Cheers Liam __________________ My Mother suggested a family outing... so I told her Uncle Bob was gay. (Trevor D.) Never argue with an idiot! They'll bring you down to their level and beat you with experience. --------------------------------------------------------------------------------- A member of the Alliance of Security Analysis Professionals since 2004.

05-22-2009, 11:08 AM	#6 (permalink)
jaysupport Registered User Join Date: May 2009 Posts: 1 OS: vista 64	Re: Restrict access to files in PHP After couple of hours of reading on .htaccess for apache in windows - I finally figured out - You need to set the open_basedir directive in your php.ini file to restrict access to file system beyond the web folder. Considering it took my good amount of searching I added couple of articles on PHP security that applies for windows here: http://oviya.me Last edited by jaysupport; 05-22-2009 at 11:11 AM.

07-31-2009, 09:04 AM	#7 (permalink)
julian213 Registered User Join Date: Jul 2009 Posts: 1 OS: Vista	Re: Restrict access to files in PHP Hello, I've read in another forum that a solution to this problem is to stor the files in a directory above the www directory. Therefore the users browser is unable to get to the page, but the PHP scripts can be pointed to it. Is this a suitable solution and what are the drawbacks of using this method? How would using .htaccess compare? Thanks

08-03-2009, 06:27 PM	#8 (permalink)
FredT Registered User Join Date: Nov 2007 Posts: 388 OS: Mac OS X 10.5.7 and XP SP2	Re: Restrict access to files in PHP How much PHP do you know? If you are just wondering how you can protect a PDF or MP3 file or something, you can have the server parse PHP in specific filetypes, but it requires access to the .htaccess file again. Can you do that or not? Do you need someone to write the PHP for you or are you set with that?

10-17-2005, 08:31 AM	#2 (permalink)
Resolution TSF Enthusiast Join Date: Sep 2005 Location: Louisiana Posts: 1,091 OS: FreeBSD/Win98/2000/XP	If you are using Apache, it would probably be better to use .htpasswd. You could protect your entire web folder or individual files.

10-19-2005, 08:25 AM	#3 (permalink)
DJ_Dance Registered User Join Date: Jul 2005 Posts: 24 OS: Windows XP	Resolution, first and foremost thanks for the quick response. I got the webpage up and running using the .htaccess files. I always wondered how websites used this particular type of authentication; I guess now I know. It's very effective, but I actual had some trouble setting it up. The main (and really only) problem with using .htaccess file was the fact that you needed to know the full pathname of the .htpasswd (or file which contains the encrypted passwords). Since I'm not actually hosting the website on my machine, getting the full pathname of the page on the server hosting the website was the difficult part. Is there a way to actually get around this problem. This is the only issue I have about using .htaccess file; other than this, they're perfect. I tried playing around with how you specify the path in the file (including using the relative path to the file), but it only seems to like the full pathnames.

10-19-2005, 06:59 PM	#5 (permalink)
DJ_Dance Registered User Join Date: Jul 2005 Posts: 24 OS: Windows XP	E-Liam, Thanks for the link. I was actually trying something similar by writing a PHP script which did this. I soon realized that my ISP's servers don't support cgi scripts and this is where the website is being hosted. Maybe the only solution might be to pay for web hosting, where my site would be hosted on decent servers where you won't be so restricted. It would still be really good if there was a way to get around what seems to be a really minor issue, but I can't image how you would actually go about it other than accessing the machine where the website is hosted. On another note in regards to .htaccess files: Is there a way to limit the number of retries the user gets when they enter in an incorrect password. On most sites which use .htaccess files, you only get like 3 tries before your redirected to another page warning you that your username/password was incorrect. By default, whenever I enter an incorrect password the authentication box just keep re-appearing until I hit cancel. It would be better if you could actually tell the user explicitly that they're entering in an incorrect password or username, since the current behaviour is also similar to when the .htaccess file can't find the .htpasswd file to authenticate the user. Therefore, it appears as if your .htaccess file is broken, rather than the username and password entered being incorrect.