Downloading a file outside the root directory

lbabinz

Hello,

I am building a system that will allow customers to purchase documents from my client and then be able to download them in a full package (zipped up) or individually. In order to keep the files secure (ie: unavailable to people searching for them), I placed them into a folder outside of the root directory. What I am trying to do is then allow the customer to download the file. The problem is that I cannot seem to provide a link to the file since it exists outside of the root. Does anyone have any idea how I can access these files, or barring that give me a suggestion of a better way of doing this? Thank you very much in advance, any help would be appreciated.

keithjasper

is it possiable to make a .htaccess access some data to see if the user is allowed to access that dir?

or php updates .htaccess.?

only suggestion

lbabinz

Its actually not the validation of the user I am concerned with, just for some reason when I provide a link to the file that is outside the root directory, it gives me a file missing error because it cannot show a link outside the root. I am wondering if there is some way to access that, and if not, perhaps some way to delete a temp file once it has finished downloading. Does anyone know of a way to do that?

renaun

You can put the files into a database and then provide them with a link that pulls the files from the database. This way you could make dynamic links that are tied to a session and put all kinds of security on it.

The other option is to just fread the files that are below the webserver document root and output them with the correct headers. I was looking for some code for you but haven't got a working example at this moment. Start looking at "fread" on the www.php.net site.

Here is example code for fread-ing a file in and outputing it. You will have to know the Content-Type of each file for it to work correctly.

<?php
	$path = "C:/temp/ldap_model.pdf";
	if ($file = fopen($path, 'rb')) {
		while(!feof($file) and (connection_status()==0)) {
			$f .= fread($file, 1024*8);
		}
		fclose($file);
	}

header("Content-type: application/pdf");
print $f;
?>

If you have PHP 4.3.0 or higher (and some php.ini settings, look at http://www.zend.com/manual/ref.mime-magic.php)this code will work for finding the MIME Content-Type:

header("Content-type: " . mime_content_type($path));

If you have access to a database, its the best solution for making some implementation specific security rules.

lbabinz

Sounds like an interesting idea, I will give it a try, thanks.

lbabinz

This worked like a charm, many thanks. Just a quick question though, does anyone know the content type for a wpd file (Corel Word Perfect)?

renaun

A way to find out is to upload the file, use this html code: (might be mistakes look on www.php.net for example if there are mistakes)

<form enctype="multipart/form-data" method="post" action="upload.php">
<input type="file" name="upload_file">
<input type="submit" value="Submit">
</form>

Then just use the value that php detects on the upload.php:

<?php
// upload.php file
echo $_FILES['upload_file']['type'];
?>

You can use this to check any Content Types you need. There has to be a list out there somewhere. Searches on Google usually come up with good info.