Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

.htaccess and php

Status
Not open for further replies.
DoubleV

DoubleV

Programmer
Jan 11, 2002
358
US
we need to have a directory that only people knowing the password can access. We would like to have the same password for everybody (even though the end users will be led to believe otherwise). The directory will contain links to some pdf documents. Every time someone logs into the directory, an email needs to be sent containing a logged-in person's email address.

So here's the dilemma:
if we do an .htaccess protected directory, all of the pages will be protected, including pdfs, but then how do we find out the person's email address and send an email? Is it possible to somehow have a username set up as blank in .htpasswd, but tell them they have to enter their email as the login? the get the email address and send an email?

if we go the php way, i could make sure they are logged in to view the page that will contain the links to pdfs, but nothing will prevent anybody from dowloading those pdfs directly, as i cannot put a php script into a pdf.

is there a way to work this out???
Thanks!

--------------------------------------------------
Goals are dreams with deadlines
-------------------------------------
 
Sort by date Sort by votes
With a single username and password, the only way to get the email is to ask the user for it. This and sending email is outside the capabilities of .htaccess. Have PHP stream the documents to the users.

Create a PHP page that asks for the username, password, and email. If the login is successful, the authenticating script can set the login credentials in some form in a session variable.

The documents are visible only as a set of links in a page created by another PHP script, and that PHP script requires the presence of the login credentials set in a session by the previous script.

The links themselves are links to PHP scripts which will use readfile() ( or fpassthru() ( to stream the data to the client. It will require the session data previously set, too. The links will look something like: and the script streamer.php will know which file to send by the filename in the URL.

The gotchas are if the file is sufficiently large and the network connection sufficiently slow, your script may run afoul of the PHP runtime directive "max_execution_time" or "memory_limit"

Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
Hi,

Your desire to protect the PDFs can be achieved in a different, more secure way.

As you say, once they are in they will be able to download the files. That's no good.

1. Keep the PDFs out of the web area or put them in a folder that denies all web access. Outside the web tree is preferable.

2. After authentication use PHP to read the files from the file system and send them to the user. You need to send a few headers to accomplish that, but that is not difficult.

There is no reliable way to capture someone's e-mail address. You can require them to supply it, and then you have to check out if it is a valid address.

The way I'd go is have them setup an account, supply their e-mail. Save the e-mail in a database, MySQL, and generate a random password. Send an e-mail to the suuplied address with the password. If the address was bogus, nothing is lost. If it's ok they can log-in and retrieve the files using the supplied password.

This requires a little bit more work, but it's more secure. It doesn't abuse the .htaccess idea where there is a distinct user/password pair.

 
Upvote 0 Downvote
thanks for the replies.
I've got an idea:
i just found something out about those protected directories' urls:
you can bypass server's pop up to enter login and password if your url is:
login:password@domain.com/directory

BUT once it displays the actual page from that directory, the login and password are automatically removed from the url! so even if someone bookmarks the landing page they wouldn't be able to access it from the bookmarks.

i'm working on putting this together right now. Will post here if it works out. If it doesn't, I'll have to implement your suggestions.

--------------------------------------------------
Goals are dreams with deadlines
-------------------------------------
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cdlvj
  • Locked
  • Question
PHP Debugging
Replies
1
Views
675
cdlvj
cdlvj
W
  • Locked
  • Question
how to send checked row data in php
Replies
0
Views
567
wiltang2004
W
SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
946
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
616
PeDa
PeDa
Mandy_crw
  • Locked
  • Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
789
vishvajit
vishvajit

Part and Inventory Search

Sponsor

Back
Top