Tag: Web Development
Downloadable File Protection
by jandrews on Apr.08, 2010, under Web Development
We are going to talk today about protecting files, and allowing access to them through some kind of authentication scheme. Let’s say you have a website that has a membership area. This membership area allows for a user to log in and view content such as pdfs and spreadsheets and word documents. The issue that any website may fall into is that these documents by default aren’t protected. Anyone who has the URL of the file can access it. Therefore you really should find some way of protecting it.
The first thing you should do is keep the web server from showing a directory listing. This is just proper security from the get go. It can be dangerous to let this information be available. With apache this is done either in the httpd.conf or in the .htaccess file.
Options Indexes FollowSymLinks
The above code tells apache to show Indexes. Removing this from your httpd.conf or redefining it in the .htaccess file will resolve the problem.
Options FollowSymLinks
My preferred method of file protection is to not store these files in a publicly accessible directory, and instead create a file that can access them. This gives me all the control I want. I can detect if someone is logged in, I can also define permissions for files, so if someone is logged in but doesn’t have proper credentials to access a file then I can send them to the proper location.
<?php
// Where are files are stored.
$storageDir = "/some/path/to/store/files";
// get the file name from the querystring.
$fileName = $_REQUEST['file'];
// Check if the file exists if not redirect to denial page.
if(!file_exists($storageDir . '/' . $fileName)) header("Location: /denied.php\n\n");
// put what ever other detection you want here. Check for login etc....
// If we haven't redirected to a denied page we can send them the content.
// Important headers to set so we can force the download.
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='. $fileName);
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($storageDir . '/' . $fileName));
ob_clean();
flush();
readfile($fileName);
exit;
?>
Now when a file is requested if it exists and meets all the standards you have requested it will allow to download.
Now let’s say you don’t have php on the server, or asp or ruby or python…. I know highly unlikely, but it could happen. Or say you have a website where you have already linked 1000 of these files, and using the above method would cause you to have quite a bit of work. You could use mod rewrite to protect the files using 2 different methods.
The first is detecting the http referer. By detecting the refering page URL you are basically telling the server to only allow access to the files from the pages and not directly from the URL. If the pages that the files are linked to are secured via an authentication scheme then bingo the access to the files are protected.
What we are doing here is using mod_rewrite to detect if the referer is empty. If it is then we redirect them to a page telling them that it is unaccessable.
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^$
RewriteRule /* http://mydomain.com/denied.html
The second is to use mod_rewrite to detect if a specific cookie is set a specific way. Here we test to see if a specific cookie is set to true. You could also write the expression just to see if it exists. If it doesn’t then you are denied.
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !^mycookie=true$
RewriteRule /* http://mydomain.com/denied.html
These are just a few examples of how you can prevent access to files, and keep your important documents safe from those who may not have paid access to them, or who you don’t want to have access.
PHP Class – Calendar Matrix
by jandrews on Mar.08, 2010, under PHP Development
The other night I found myself needing a PHP class file that would give me calendar data. Specifically I needed something that I could build a calendar display with. The problem was I didn’t want it to write the HTML, I just wanted it to give me a multidimesional array of weeks and days. That way I could have whatever content I wanted in it. Not finding anything that didn’t write out HTML I created the CalendarMatrix class.
/**************************************************************************
Copyright 2010 James Andrews (email : contact at jamesmandrews dot com)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 2 of the License
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
**************************************************************************/
class CalendarMatrix implements ArrayAccess, Iterator, Countable
{
// Define a list of the days of the week in english.
private $daysOfWeek = array( 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday','Saturday','Sunday');
private $dayCount = 0;
private $matix = array();
public function __construct($year, $month)
{
$this->dayCount = cal_days_in_month(CAL_GREGORIAN, $month, $year);
$this->generateMonthWeeksMatrix();
}
public function calendarDayHeaderArray()
{
return $this->daysOfWeek;
}
public function getMonthName($year=false, $month=false)
{
return date('F', mktime(0, 0, 0, $month, 1, $year));
}
private function firstDayOfMonth() {
return date("l", strtotime(date('m').'/01/'.date('Y').' 00:00:00'));
}
private function primeMatrix($startPos)
{
// Set up the first matrix array
$this->matrix[] = array();
for($count=0; $count < $startPos; $count++)
{
$this->matrix[(count($this->matrix)-1)][$count] = "";
}
return $matrixPos = count($this->matrix[(count($this->matrix)-1)]);
}
private function generateMonthWeeksMatrix()
{
// Get the position for the first day in the week header array.
$startPos = array_keys($this->daysOfWeek, $this->firstDayOfMonth());
// prime the matrix
$matrixPos = $this->primeMatrix($startPos[0]);
// Handle each day of the week
for($day = 0; $day < $this->dayCount; $day++)
{
// Fill in the date into the array value
$this->matrix[(count($this->matrix)-1)][] = ($day+1);
// If the current array hits a length of 7 start a new one.
if(count($this->matrix[(count($this->matrix)-1)]) == 7){
$this->matrix[] = array();
}
}
}
/*
* Below are our "implementataion functions."
*/
// We don't want to be able to change the data, so this
// function though here for compatibility does nothing.
// We'll throw an exception later.
public function offsetSet($offset, $value) {
}
public function offsetExists($offset) {
return isset($this->matrix[$offset]);
}
public function offsetUnset($offset) {
}
public function offsetGet($offset) {
return isset($this->matrix[$offset]) ? $this->matrix[$offset] : null;
}
public function rewind() {
reset($this->matrix);
}
public function current() {
return current($this->matrix);
}
public function key() {
return key($this->matrix);
}
public function next() {
return next($this->matrix);
}
public function valid() {
return $this->current() !== false;
}
public function count() {
return count($this->martrix);
}
}
The class is designed to mostly work like an array. With one exception, you can not modify an indexed value. It does how ever allow you to use for, and foreach statements to iterate through the array.
// Instantiate the matrix using the year and month in the constructor.
$matrix = new CalendarMatrix(2010, 03);
The matrix will now initialize itself with the constructor and you can use it like so.
<table>
<?php foreach($matrix as $week): ?>
<tr>
<?php foreach($week as $day): ?>
<td<>?php echo $day; ?></td>
<?php endforeach; ?>
</tr>
<?php endforeach; ?>
</table>
The code will now have created an calendar with the first row being Monday the last row being Sunday. There is also a function go build the day header at the top.
<table>
<tr>
<?php foreach($matrix->calendarDayHeaderArray() as $dayName): ?>
<th><?php echo $dayName; ?></th>
<?php endforeach; ?>
</tr>
<?php foreach($matrix as $week): ?>
<tr>
<?php foreach($week as $day): ?>
<td<>?php echo $day; ?></td>
<?php endforeach; ?>
</tr>
<?php endforeach; ?>
</table>
It is also flexible enough to be used to build a calendar out of divs simpley use both foreach calls next to each other and then put a div in the middle instead of a <td> tag.
