pass .pdf files NOT in public_html to browser? 1

[admoore]

pass .pdf files NOT in public_html to browser?

I am using sessions under PHP to authenticate clients and direct them to specific account related .pdf reports based on their logon... I also wish to protect these files from unauthorized access; so I seem to have two choices...

• Use PHP to pass files to client browser from outside public_html (sounds good- how do I do it?)

-or-

• Use .htaccess to further protect the client report directories under public_html and use PHP to pass authentication info to apache so that authenticated clients don't get challenged for credentials by Apache (sounds OK too, still don't have a clue how to do it...)

Any help here is Much Appreciated in advance!

-Allen

 

[danielhozac]

For the first, here is how I would do it.
<?php
if ($authenticated) //authenticate here
{
if (file_exists(&quot;/path/to/pdfs/&quot; . $_GET['file']))
{
header('Content-type: application/pdf');
readfile(&quot;/path/to/pdfs/&quot; . $_GET['file']);
}
}
else
{
//authenticate here
}
?>
The script could then be called as &quot;scriptname.php?file=pdf-file.pdf&quot;.
This script does have some security issues, for instance, one could access your /etc/passwd file with the right query string.
You could try and make a regexp to check if the name is a valid name for your files. //Daniel