2 Replies - 659 Views - Last Post: 11 April 2016 - 10:50 AM Rate Topic: -----

#1 adem2660   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 11
  • Joined: 02-October 14

Restrict access to folders / images

Posted 10 April 2016 - 12:16 PM

Hi there.

This little snippet shows content based on which user has logged in.

 if ($userRow['user_email'] == "[email protected]")



When a user is logged in, he will see the whole content of a folder (correct format/design, of course). If the users looks at the image URL, he'll see something like:
www.mywebsite.com/FOLDER_NAME/IMG_XXX.jpg.

With persistence and a little luck, a user can view other people's private images by changing the URL. Someone told me to deal with headers or something, but I haven't found a reliable (and somewhat understandable) tutorial on this matter.

What is the simplest solution to fix this problem? :) I would appreciate a guide (I haven't found any - and yes, I did search on Google :)).

Is This A Good Question/Topic? 0
  • +

Replies To: Restrict access to folders / images

#2 astonecipher   User is offline

  • Enterprise Software Architect
  • member icon

Reputation: 3151
  • View blog
  • Posts: 11,956
  • Joined: 03-December 12

Re: Restrict access to folders / images

Posted 10 April 2016 - 04:41 PM

I typically have the user go to a page and that page dynamically pulls the content for the user. So user goes to content.php and content.php pulls the content for that user based on the id of the requested file, the user id, whether they have access to that file, ect/
Was This Post Helpful? 0
  • +
  • -

#3 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2764
  • View blog
  • Posts: 8,071
  • Joined: 15-January 14

Re: Restrict access to folders / images

Posted 11 April 2016 - 10:50 AM

If you're trying to control access of files to specific users, then those files need to be unavailable to the public. One option is to store them in a directory outside of the web root, or another option is to use something like .htaccess on Apache to restrict access to the directory. Once no one can see the files, then you can set up PHP to grant access to people on the whitelist. So instead of the direct URL you would link to a PHP script and pass it the ID of the file in a database, or the filename, e.g.:

get_file.php?f=/path/to/file.jpg

The PHP script would either get the filename, or get the database ID then look up the filename, then validate the filename to make sure that they are requesting a file which they have access to (which also involves making sure that they are actually requesting a file in the protected directory and they haven't typed in some arbitrary filename to get your script to send them that file), and then PHP sends the appropriate headers and the file data. That's how you can use PHP to control access to files.

The way I set that up was to use .htaccess to redirect all requests for files in a certain directory to my PHP script which does all of the necessary validation and authorization, so people see the regular URLs but Apache will redirect those requests through my PHP script if the option is enabled in the application.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1