Home > Back-end >  All files download only through index.php and deny direct access to them from browser
All files download only through index.php and deny direct access to them from browser

Time:08-28

I have the following structure in my website :

  • index.php
  • files(directory) ---> file1.pdf

How can I prevent the direct access to the file (e.g https://example.com/files/file1.pdf) and allow the file to be downloaded from within the displayed web page for login users?

here is the php code for the index which reads the files from the directory:

<?php
        include('session.php');

        $path    = './files';
        $files = scandir($path);
        $files = preg_grep("/^(\.|\.\.|index\.php|\.htaccess)$|.php$|\.meta\.js$/",scandir($path), PREG_GREP_INVERT);
        foreach($files as $file){
          echo '<div>';
          echo "<a href='$file' >$file</a>";
          echo "</div>";
        }
        ?>

CodePudding user response:

  1. Create an .htaccess in files and set deny all.

    order deny,allow deny from all

  2. Create downloader.php and update your download link urls like

domain.com/downloader.php?file=filename

Code :

    <?php 

if(!isset($_GET['file']))
{
    die('File Request Not found.');
}
if(!file_exists('files/'.$_GET['file']))
{
    die('File not exists. File name ='.$_GET['file']);
}
header("Content-Type: application/octet-stream");
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename=\"".$_GET['file']."\""); 
echo readfile('files/'.$_GET['file']);
?>

CodePudding user response:

.

AddHandler application/x-httpd-php .html

<FilesMatch "\.(?i:gif|jpe?g|png)$">

order deny,allow

Deny from all

</FilesMatch>

Usage = These rules will allow you to download the files only from index.html and will deny the direct access to them from the browser.

CodePudding user response:

So here is how i manged to solve the problem :

in the .htaccess added the rules :

<FilesMatch "\.(?i:pdf|jpe?g|png)$">

order deny,allow

Deny from all

</FilesMatch>

So now no one can access the files via direct link from browser .

then added the following code to the downloader.php (of course still needs to be linked to the session to allow logged in users only):

<?php

if(isset($_GET['path']))
{
//Read the filename
$filename = $_GET['path'];
//Check the file exists or not
if(file_exists($filename)) {

//Define header information
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header("Cache-Control: no-cache, must-revalidate");
header("Expires: 0");
header('Content-Disposition: attachment; filename="'.basename($filename).'"');
header('Content-Length: ' . filesize($filename));
header('Pragma: public');

//Clear system output buffer
flush();

//Read the size of the file
readfile($filename);

//Terminate from the script
die();
}
else{
echo "File does not exist.";
}
}
else
echo "Filename is not defined."
?>

and made a little change to the index.php:

 echo "<a href=./downloader.php?path='$pathOF/$file' class='pdfl'>$file</a>";

and all working fine , just a little bit delay when requesting a file download , maybe it is a hosting issue or may be the downloader not sure , please let me know if there is a better way to do this .

Regards

Page link:https//www.codepudding.com/Backend/525613.html

Prev:PHP to Matching lines between files
Next:woocommerce how to change <p> tag class on Register Page
  •  Tags:  
    • php
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding