# Restrict access to files in PHP



## DJ_Dance (Jul 23, 2005)

Hi,

just wondering how one would allow users to download a file only after they have authenticated through a login page using PHP.

For example:
Say I have a file file.exe which only those with a password and username can have access to; and this file is located at http://www.mysite.com/progs/file.exe. So members login to the page via their username and password and then a page appears with a link to the file. After hitting the link, they get the file.
I already know how to do all of the above in PHP, however the problem arises when someone enters the following in their browser; http://www.mysite.com/progs/file.exe and they get access to the file without having to go through the login page first. 

Anyone have a solution or work-around to this problem.


----------



## Resolution (Sep 17, 2005)

If you are using Apache, it would probably be better to use *.htpasswd*. You could protect your entire web folder or individual files.


----------



## DJ_Dance (Jul 23, 2005)

Resolution,

first and foremost thanks for the quick response.

I got the webpage up and running using the .htaccess files. I always wondered how websites used this particular type of authentication; I guess now I know.

It's very effective, but I actual had some trouble setting it up. The main (and really only) problem with using .htaccess file was the fact that you needed to know the full pathname of the .htpasswd (or file which contains the encrypted passwords). Since I'm not actually hosting the website on my machine, getting the full pathname of the page on the server hosting the website was the difficult part. Is there a way to actually get around this problem. This is the only issue I have about using .htaccess file; other than this, they're perfect. I tried playing around with how you specify the path in the file (including using the relative path to the file), but it only seems to like the full pathnames.


----------



## E-Liam (Jan 1, 2004)

Hi DJ,

use this little script.. Servercheck.cgi.

Upload to your cgi-bin and then just go to *www.yourdomain.com/cgi-bin/servercheck.cgi*

That will tell you all you need to know about paths to your server, including sendmail etc. 

Cheers

Liam


----------



## DJ_Dance (Jul 23, 2005)

E-Liam,

Thanks for the link. I was actually trying something similar by writing a PHP script which did this. I soon realized that my ISP's servers don't support cgi scripts and this is where the website is being hosted. Maybe the only solution might be to pay for web hosting, where my site would be hosted on decent servers where you won't be so restricted. :smile: 

It would still be really good if there was a way to get around what seems to be a really minor issue, but I can't image how you would actually go about it other than accessing the machine where the website is hosted.

On another note in regards to .htaccess files:
Is there a way to limit the number of retries the user gets when they enter in an incorrect password. On most sites which use .htaccess files, you only get like 3 tries before your redirected to another page warning you that your username/password was incorrect. By default, whenever I enter an incorrect password the authentication box just keep re-appearing until I hit cancel. It would be better if you could actually tell the user explicitly that they're entering in an incorrect password or username, since the current behaviour is also similar to when the .htaccess file can't find the .htpasswd file to authenticate the user. Therefore, it appears as if your .htaccess file is broken, rather than the username and password entered being incorrect.


----------



## jaysupport (May 22, 2009)

After couple of hours of reading on .htaccess for apache in windows - I finally figured out - You need to set the open_basedir directive in your php.ini file to restrict access to file system beyond the web folder. Considering it took my good amount of searching I added couple of articles on PHP security that applies for windows here:

http://oviya.me


----------



## julian213 (Jul 31, 2009)

Hello,

I've read in another forum that a solution to this problem is to stor the files in a directory above the www directory. Therefore the users browser is unable to get to the page, but the PHP scripts can be pointed to it.

Is this a suitable solution and what are the drawbacks of using this method?
How would using .htaccess compare?

Thanks


----------



## FredT (Nov 16, 2007)

How much PHP do you know? If you are just wondering how you can protect a PDF or MP3 file or something, you can have the server parse PHP in specific filetypes, but it requires access to the .htaccess file again. Can you do that or not?

Do you need someone to write the PHP for you or are you set with that?


----------

