Home/ Questions/Q 704217
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T03:55:01+00:00

Usually I save documents (images, mpegs, excel, word docs, etc…) for my friends or

  • 0

Usually I save documents (images, mpegs, excel, word docs, etc…) for my friends or family on my website’s root, inside a directory called /files/ or something similar. Nothing too uncommon.

But, I have been playing with user session control, and allowing users to upload files to the dedicated /files/ directory. (the file names are saved in a db, with that user’s ID)

But, that means other people could try to guess and locate other people’s files.
I do randomize the file names, upon upload. And I stop the apache from displaying the /files/ directory content.

However, I’d like to start saving the files outside of the website’s root. This way it can’t be accessible via the browser.

I don’t have any code to show, but I didn’t want to even start on this endeavor if it’s not able to be accomplished. I did find this snippet that shows how to display an image, from outside your website root:

Maybe I can use this for any file type, but has anyone heard of a better way to allow users (logged in) to access their files from online, but not letting other users has similar access?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The PHP manual gives good insight on how to achieve this with an example on the readfile function’s page:

    <?php
$file = 'monkey.gif';

if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
    exit;
}
?>

    This forces any file to be downloadable by setting the content-disposition and content-type headers. That’s pretty much the way this sort of thing is usually done, file_get_contents will allow you to do the same thing too.

    • 0