[FX.php List] [OFF] Restricting web directory/downloads via FM?

Leo R. Lundgren leo at finalresort.org
Wed Jul 28 16:20:53 MDT 2010

Did you Google any of this? There's a ton of information out there on this essential functionality.

There are many ways to do it. First of all you need the authentication, which you can do upon request, firing a query to the database, or by caching information so you don't need a trip to the database for each request.

Then you need a way to protect the files. The obvious solution is to have them placed in a directory that is not directly accessible from the web (for example by having a "deny from all" in Apache's rules, which could be in a .htaccess, or some equivalent measure in other web servers).

Then to bind this together you could write a script that processes the request and readfile()'s the requested file if it exists and the user provided valid credentials. If the files are big readfile() might not be that fun to use since it literally relays the entire file using PHP, but there are other ways to do it in that case. One example is to make the web server protect the files by asking your PHP script for authentication, and if the auth succeeds the web server sends the file instead of PHP, which is more effective.

The readfile() method probably works as a start though, depending on your file sizes and the number of requests you'll get. As you say its PDF files I suppose they won't be that huge :)


29 jul 2010 kl. 00.03 skrev Joel Shapiro:

> Hi all
> I've got a new client that would like to make some downloadable materials (mostly PDFs) available to their authorized users.  The client would like to be able to upload files to some directory on their site and have only logged-in users (authenticated via FMP "users" table) be able to view and/or download them.
> Anybody have any thoughts on the best & simplest way to do this?  (or are best and simplest mutually exclusive? ;)
> I've thought of giving the client access to edit an html page with links to each of the downloadable files -- and I'd make that page accessible only to logged in users.  Are there easy ways to avoid having the client have to update html and hrefs?

More information about the FX.php_List mailing list