Home/ Questions/Q 7920893
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T16:23:01+00:00

I will try to explain this as well as I possibly can. I’m developing

  • 0

I will try to explain this as well as I possibly can. I’m developing a member-driven website where members can upload files to sell them (where they own the rights to these files).

PREMISE 1: I wanted to ensure that each member’s folder could not be accessed directly and could only be reached through a link from the site itself.

This link is only generated in the member’s area of the person who has bought it (for downloading the file more than once…and member profiles don’t allow for linking to these folders either).

So every time a member joins they are given a file into which a .htaccess is automatically created.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com/.*$ [NC]
RewriteRule .* - [F]

PREMISE 2: When a user uploads a file, the last step in the process is to make sure that file has in fact uploaded.

$uploadFullPath = 'http://www.domain.com/userfiles/'.$_SESSION['uniqueKey'].'/'.$_SESSION['userNumber'].'-'.$_SESSION['latestUpload'].'.'.$_SESSION['latestExt'];
 if(fopen($uploadFullPath,"r")!==0){
  // update member usages
  $query = "UPDATE memberUsage SET usageLicenses=usageLicenses+1 WHERE memberNumber=".$_SESSION['userNumber'];
  mysql_query($query) or die(reportError('Unable to increment licenses used'));
  echo 'Your file has been successfully updated. You can view your listing within <a href="/user-area/">Your Dashboard</a>';
}
else{
 echo 'There seems to have been a problem uploading your file. Please <a href="/user-area/">go back</a> and try again from your \'incomplete listings\' page. Upload Path Provided: <a href="' . $uploadFullPath .'">' . $uploadFullPath . '</a>';
}

For clarity the reportError() function is just a preloaded function that churns out the mysql_error() and mysql_errno() any time an error needs reporting, to save typing it each time.

Also where above I have used fopen() I have also tried to test for the file’s existence using is_file() and file_exists().

The Problem
With the above htaccess restrictions fopen(), is_file() and file_exists() all fail to find the file, even though when the generated $uploadFullPath is clicked it works.

However if I remove the htaccess restriction the above functions work, but equally the files can be accessed directly without buying or going through the website first.

How do I get both of these conditions to run simultaneously please? I’m not sure if it’s just htaccess, just my file detection method or a combination of both.

My thanks in advance for your help!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If possible, just use your local filesystem instead of the http://-wrapper.

    So, for example, if your PHP file is /var/www/kirby/myfile.php and your uploads are stored in (again, an example) /var/www/kirby/useruploads/cooluserone/test.jpg (assuming test.jpg as an uploaded file).

    In this case, you could either use the relative path file_exists("useruploads/cooluserone/test.jpg") or the complete path file_exists("/var/www/kirby/useruploads/cooluserone/test.jpg").

    Both of this would return true.

    You have to make sure you have read access on the folder / files though, which you probably already have.

    • 0