> -----Original Message----- > From: Stephen [mailto:stephen-d@xxxxxxxxxx] > Sent: Thursday, September 06, 2007 1:04 PM > To: php-general@xxxxxxxxxxxxx > Subject: Preventing Access to Private Files > > I understand how to use PHP with MySQL to have a > members table to validate passwords. And to limit the > generation of "member" pages to members only. > > But what about photographs? If someone knows the > complete URL they could view it directly, unless the > directory is protected using .htpassword > > But I don't want to have passwords in two places, nor > muck with the password file everytime a new member > joins. > > Suggestions? > > Thanks > Stephen http://modauthmysql.sourceforge.net/ Pretty much the greatest plugin ever invented for Apache. I use it religiously. Then you can have both methods sharing the same db table and it's seemless and WAY more secure than trying to do some 'index.php' or 'header' tricks... Basically add something like this to your apache vhost_foo.conf file: <Directory /home/foo/public_html/admin> Options All +Includes AllowOverride None AuthName "My Private Admin Stuff" AuthType Basic require valid-user AuthMySQLHost localhost AuthMySQLDB mydatabase AuthMySQLUser mydbuser AuthMySQLPassword mydbpass AuthMySQLPwEncryption sha1 AuthMySQLUserTable users AuthMySQLNameField username AuthMySQLPasswordField password AuthMySQLUserCondition "type = 'Admin' AND enabled = 1" </Directory> That last AuthMySQLUserCondition is the most useful addition. Also take a look at this, for some additional ideas in making your "login" look more professional than just some form fields on a web page... http://www.php.net/manual/en/features.http-auth.php You can combine all three methods and chicks will love you like no other... D.Vin http://daevid.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
