PHP and .htaccess

beeman000

I have built a login script to a secure part of a website. Once the user logs in they are presented with files they can download. I want to protect these files from being directly downloaded by specifying the direct url, so i added a .htaccess file to control that. However this, of course, causes the user to have to input their username and password twice, once to login and once to download the file. Is their anyway around this? I want to continue to have a php login, because the files are user specific and are displayed based on the the username and login.

andrewtayloruk

Yes, move the file out of the public web directory and use a script to download the file. Post again if you need help with the code.

Make sure you santize the input and don't rely on passing

yourfile.php?file1.jpg as someone could use it as an insertion point for an exploit

Google or search for file download script php as an example.

Andrew