0

I am trying to prevent direct access to a rar file on my ftp server by using htaccess and redirecting it to a page where they can login and access the file after they successfully login. I have set this up like so:

.htaccess:

RewriteEngine on
Redirect /Downloads/file1.rar /loginAuth1.php
Redirect /Downloads/file2.rar /loginAuth2.php

loginAuth1:

if(isset($_POST['username']) && isset($_POST['password'])){

$username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, md5($_POST['password']));

$result = mysqli_query($con, "SELECT * FROM `users` WHERE `username` = '$username'") or die(mysqli_error($con));
if(mysqli_num_rows($result) < 1){
    header("Location: loginAuth1.php?error=incorrect-password");
}
while($row = mysqli_fetch_array($result)){
    if($password != $row['password']){
        header("Location: loginAuth1.php?error=incorrect-password");
    }elseif($row['status'] == "0"){
        header("Location: loginAuth1.php?error=banned");
    }else{
        $_SESSION['id'] = $row['id'];
        $_SESSION['username'] = $username;
        $_SESSION['email'] = $row['email'];
        $_SESSION['rank'] = $row['rank'];
        header("Location: Downloads\file1.rar");
    }
}
}

loginAuth2:

if(isset($_POST['username']) && isset($_POST['password'])){

$username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, md5($_POST['password']));

$result = mysqli_query($con, "SELECT * FROM `users` WHERE `username` = '$username'") or die(mysqli_error($con));
if(mysqli_num_rows($result) < 1){
    header("Location: loginAuth2.php?error=incorrect-password");
}
while($row = mysqli_fetch_array($result)){
    if($password != $row['password']){
        header("Location: loginAuth2.php?error=incorrect-password");
    }elseif($row['status'] == "0"){
        header("Location: loginAuth2.php?error=banned");
    }else{
        $_SESSION['id'] = $row['id'];
        $_SESSION['username'] = $username;
        $_SESSION['email'] = $row['email'];
        $_SESSION['rank'] = $row['rank'];
        header("Location: Downloads\file2.rar");
    }
}
}

What would be the best way to check if the user successfully logged in, and to stop the redirect as then the user can download the file?

Thanks.

Matt142
  • 23
  • 7

1 Answers1

1

A better way would be to check the authentication then just return the octet stream of the rar file contents and set the header type, size, and filename on success. That way you don't need to redirect to a non-protected file. See https://stackoverflow.com/a/8485963/7361251

Community
  • 1
  • 1
Michael Trimm
  • 36
  • 2
  • I saw the answer you provided, that would provide a specific url for the user to download the file from, correct? How would that prevent unlogged in users from downloading the file. – Matt142 Jan 01 '17 at 22:41