NYCPHP Meetup

NYPHP.org

[nycphp-talk] Single-Logon User Authentication, PHP and viewing non-ASCII

Brian Pang bpang at bpang.com
Mon Aug 18 15:26:26 EDT 2003


I use a function which invokes fpassthru

first I check to make sure the user has the right priviledges, if so,
then pass the file thru...

the link to the file might end up being something like

fileGetter.php?filename=word.doc

just remember to properly set the headers





> This is a multi-part message in MIME format.
> 
> 
> This challenge is beyond me, as it seems to be the case.
> 
> I am having to set up a user-authentication script that is basic
logon/registration process.  mySQL db captures username, password, and
other important fields such as their payment category and isAdmin (if
they are an admin on the site).  Once stored they will be able to login
once payment category is '4' (which means 'PAID').  
> 
> Upon being able to login, one of the features any user, admin or not,
can do is to view restricted files in the /web/contents folder.  They
can view the list or click onto a link and view the file itself
(assuming it's a url-friendly file like .txt or .doc or .pdf or something).
> 
> Here's where I am totally stuck.
> 
> The /web/contents folder must be locked down so that the outside world
cannot view it; only authenticated users must view it.  Problem is, by
doing that I force a double-login since that would involve using
.htaccess on the folder.  (Note, I was told mySQL has a means of
interfacing with .htacesss, however, that too would fail because the
requirements for login involve username, password, isAdmin and
payment_category all being set to certain values).
> 
> I thought of locking down the folder to 700 and each script uploaded
to 600 (using TCL CGI instead of PHP to do the actual uploading),
however, how would I be able to allow for users to VIEW non-ASCII files
(like .doc or .pdf)?
> 
> Has anyone faced anything like that, if so, please let me know.
> 
> Thanx
> Phil
> 






More information about the talk mailing list