At 10:46 12.02.2003, Shams said:
--------------------[snip]--------------------
>i've written a secure PHP login script which will allow users to login to a
>directory such as this:
>
>smezone.com/members/index.php
>
>however, how do I restrict people from accessing HTML files in that
>directory (which they can easily do so by typing the URL into their
>browser), such as:
>
>smezone.com/members/document1.html
>
>?
>
>Since its a regular HTML files (and we have lots), I can't check whether the
>user has a valid session as I would do in a PHP file.
--------------------[snip]--------------------
If you have access to the servers directory structure (and either shell
access or a helpful admin) you could also consider a different approach by
moving the files outside the webservers path and including them in your
access script.
BEFORE (assumed)
/~shams
/~shams/www
/~shams/www/members
now, do
cd /~shams
mkdir www.members
mv -r www/members/* www.members
# and make sure that the http process has read permission on files,
# and read/execute permission on directories and subdirs
so we have AFTER
/~shams
/~shams/www.members <-- not accessible via http
/~shams/www <-- webserver root folder
In your login script, you would then (after a valid login check)
$file = '../www.members/' . $_REQUEST['file'];
$hf = fopen($file);
if ($hf) {
echo fread($hf, filesize($file));
fclose($hf);
}
else die 'cannot open file ' . $_REQUEST['file'];
assuming you pass the requested filename via a "file" parameter, which you
could easily accomplish by using either ErrorDocument or mod_rewrite in
your apache config.
HTH,
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
