I want users to be able to upload files, but I don't want them to be able to view the contents of the folder which the files are uploaded to. A PHP script should be able to browse and read the files in the hidden (for the users) folder.
Any ideas?
Add a comment
|
3 Answers
Upload to a folder that's not in public_html - they can then only be accessed via FTP or the server itself, not by HTTP.
answered Nov 19, 2010 at 22:51
Niet the Dark Absol
326k86 gold badges480 silver badges604 bronze badges
Comments
Theres multiple ways of accomplishing this.
option1 : like kolink says, place the files outside of your webroot (public_html)
option2 : use a .htaccess where you deny access to the dir, if you dont want the files to be listed you can use the following in your .htaccess
Options -Indexes
You might also wanna look at the permissions for the files using chmod.
2 Comments
quano
If I deny access to the dir, won't it deny scripts trying to access it too?
Leonard Pauli
@quano, no. This will just disable the access to the default index.php file that shows the directory's content and return a 403 - Forbidden message (that you can customize) instead. So you won't access a/dir, but a/dir/file.png.
Not totally secure, but a simple solution would be to place an index.php file in the folder you don't want accessed, that redirects the user back to the homepage. This will mainly prevent easy browsing of unindexed folders.
<?php
header('Location: ../../index.html');
?>
