Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

protect files used in my templates

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> General
View previous topic :: View next topic  
Author Message
amathur347
Smarty Rookie


Joined: 14 May 2003
Posts: 7

PostPosted: Tue Dec 09, 2003 2:36 am    Post subject: protect files used in my templates Reply with quote

Hi ,

I have developed a smarty based website. A major component of it involved user authentication providing restricted access to certain pdf files. I have included links to the pdf files in the template files, access to which is regualted from my athentication script. Everything works great if I have a user who sticks to profile. But, if the user discovers the path to the pdf files, and types it directly on the URL, my authentication script goes to the dogs.

Is there anyway I can avoid this? I tried protecting the directory with there pdf's via htaccess, adding a random user. But this comes into play when the file is accessed normally too.

Basically, the complete authentication drama has ben designed to protect these pdf files, and I have so far been unsuccessful.

Any inputs ???
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Tue Dec 09, 2003 2:46 am    Post subject: Reply with quote

Not much you can do from Smarty--this is a webserver level issue, IMO.

If you have a public link that resolves to a public file, then "hiding it" doesn't stop people from finding it necessarily. You need to either institute webserver authentication or you need to put a PHP interface in front of your pdf files -- ie. don't link to the pdf files, but instead to a php script which then loads the file and streams it to the client after setting appropriate headers.

Alternatively, use pdf security so that the pdf files require a password to open.

HTH
Back to top
View user's profile Send private message
amathur347
Smarty Rookie


Joined: 14 May 2003
Posts: 7

PostPosted: Tue Dec 09, 2003 2:57 am    Post subject: Reply with quote

How does a php script 'load' a pdf file? u have some examples i can look into ?
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Tue Dec 09, 2003 3:03 am    Post subject: Reply with quote

http://php.net/pdf

Take a look at example 2.

Cheers!
Back to top
View user's profile Send private message
amathur347
Smarty Rookie


Joined: 14 May 2003
Posts: 7

PostPosted: Tue Dec 09, 2003 4:09 am    Post subject: Reply with quote

For some reason I cant get it to work. Its returning those shady-unprintable-but-still-printed characters !!

my code is

<?php
$filename='oxygen_s.pdf';
$len = filesize($filename);
header("Content-type: application/pdf");
header("Content-Length: $len");
header("Content-Disposition: inline; filename=oxygen_s.pdf");
readfile($filename);
?>
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Tue Dec 09, 2003 4:17 am    Post subject: Reply with quote

remember, you have to send the headers prior to sending anything else to the client--even sending a blank line will cause the connection headers to be set to the defaults for your webserver (likely text/html).

See also the notes for http://php.net/readfile
Back to top
View user's profile Send private message
amathur347
Smarty Rookie


Joined: 14 May 2003
Posts: 7

PostPosted: Tue Dec 09, 2003 4:24 am    Post subject: Reply with quote

ya i did that.. nothing is going before that. When something did, i got the error.. header already blah blah. After clearing all thos errors i ended up with a page full of those characters.

check it out

www.prosperitas.com/secure/pdf.php
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Tue Dec 09, 2003 4:37 am    Post subject: Reply with quote

hmmm...worked for me, though it linked to a word doc. Tried from IE6 on w2k and Epiphany on linux -- no problems. Try clearing your browser cache.
Back to top
View user's profile Send private message
amathur347
Smarty Rookie


Joined: 14 May 2003
Posts: 7

PostPosted: Tue Dec 09, 2003 8:59 am    Post subject: Reply with quote

yes it works. I would have loved it if it did not open up an application though. I would like to open up the file on the same page, so that I can maintain the look and feel of the page.

I am new to the http headers thing, is there a parameter that does not force the file to be downloaded, and simply opens up on an existing page?

Thanks for the help so far btw. I have progressed a lot this night.. just need to take those final steps
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Tue Dec 09, 2003 9:16 am    Post subject: Reply with quote

Hi again.

I'm glad I was of help Smile

IIR it is the header directive
[php:1:983b2282ae]header("Content-Disposition: inline; filename=oxygen_s.pdf");[/php:1:983b2282ae]
that forces the download. Try not sending that header.

see also: http://www.zend.com/manual/function.header.php

ps. I didn't mention it explicitly before, but obviously this script that streams your file should first authenticate your client Smile This is required since the request will be coming in on a new connection from the client so any authentication you already did will not be available (of course, you can use sessions to manage this, but I suspect you already are doing something--this is just a note for the sake of completeness).
Back to top
View user's profile Send private message
amathur347
Smarty Rookie


Joined: 14 May 2003
Posts: 7

PostPosted: Wed Dec 10, 2003 10:52 am    Post subject: Reply with quote

Hey boots..

did anyone tell u that u r the best ???

Wel incase others failed to recognize u .. i am saying it Smile

It works beautifully

thanks again
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> General All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP