Hi all, Iím hoping someone here can help me. Iíll try and be as clear as I can because Iím not sure if what Iím asking for is possible. My site uses a PHP download script, which controls the downloading of files, I can assign permissions to this script so that only registered users of my site or users that are in a particular group can use it. This way I can restrict who can download my files. However once the direct URL is known to the file or download folder, this can simply be entered into a web browser, and the file downloaded without any need for the download script or even registering with my site. Now Iíve heard that it is possible to protect the download folder so that it is not accessible from the web using .htaccess, and some how use PHP to grab the file from the actual file system and supply it to the browser for download. If this could be integrated into my download script, I would have a secure way to set permissions on who can download my files, without the worry that they can just type the direct URL in and download the file without my consent.
I hope that made sense, I have thousands of files for download so protecting the folder via the .htaccess file and then passing the files through via PHP would be perfect.
I've done a very similar thing to what you need, let me tell you what I did and hopefuly it will be of use.
My download "goodies" are outside the root directory of my web server. That way NOBODY (or is it NO ONE?) can have access to them (except probably from FTP or SCP, but that's another story). The only trick is that the directory they are in must be readable by PHP. Then you can do something like:
$fh = fopen("$full_path", "r"); fpassthru($fh);
Where $full_path = "/home/myhome/mystuff/somefile.blah"; The download directory for this will be totally unrelated to the real path. You can always improve security by checking referrer, cookies and other variables (preferably session variables) so that no one else can download directly by playing with the obvious variables you have there.