At 10:46 12.02.2003, Shams said:
--------------------[snip]--------------------
>i've written a secure PHP login script which will allow users to login to a
>directory such as this:
>
>smezone.com/members/index.php
>
>however, how do I restrict people from accessing HTML files in that
>directory (which they can easily do so by typing the URL into their
>browser), such as:
>
>smezone.com/members/document1.html
>
>?
>
>Since its a regular HTML files (and we have lots), I can't check whether the
>user has a valid session as I would do in a PHP file.
--------------------[snip]-------------------- 

If you have access to the servers directory structure (and either shell
access or a helpful admin) you could also consider a different approach by
moving the files outside the webservers path and including them in your
access script.

BEFORE (assumed)
    /~shams
    /~shams/www
    /~shams/www/members

now, do
    cd /~shams
    mkdir www.members
    mv -r www/members/* www.members
    # and make sure that the http process has read permission on files,
    # and read/execute permission on directories and subdirs

so we have AFTER
    /~shams
    /~shams/www.members   <-- not accessible via http
    /~shams/www           <-- webserver root folder 

In your login script, you would then (after a valid login check)
    $file = '../www.members/' . $_REQUEST['file'];
    $hf = fopen($file);
    if ($hf) {
        echo fread($hf, filesize($file));
        fclose($hf);
    }
    else die 'cannot open file ' . $_REQUEST['file'];

assuming you pass the requested filename via a "file" parameter, which you
could easily accomplish by using either ErrorDocument or mod_rewrite in
your apache config.

HTH,


-- 
   >O     Ernest E. Vogelsinger
   (\)    ICQ #13394035
    ^     http://www.vogelsinger.at/



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to