Password protected directory and files in PHP

Question

Im creating a simple private page with links to some files to download. I\'ve done it with simple session management but I have a problem: if somebody click on the file-url he c

Answer 1

I guess it's a little bit late to answer. Anyway, it may help other people.

To protect files from direct downloads, you have to use a combinaison of PHP + .htaccess.

Let's admit that ./downloads/ is the folder where you store files you want to be downloaded. First, you have put .htaccess in this folder.

.htaccess in ./downloads/ :

deny from all

This will protect the folder to everybody, except scripts wich are executed on the server side.

Here is an example of a PHP script you can write at the root directory ./

index.php in ./ :

This script is usable as it is. But be careful. Actually there is a major vulnerability : With this form you can download any file of the server (including a file like config.php which contains access to your database). To fix that vulnerability you can use IDs :

if ($_GET["id"] == 1)
    $filename = "toto.pdf"
if ($_GET["id"] == 2)
    $filename = "fish.png"

It provides a good example of protecting files from direct download but not from PHP download.