[go9090go]

Hello all, i am go9090go.
Today i made a domains for a jar file people can upload from my website.
I made this to make the jar file close source and its easy to update.
Now i made a java classloader and everything i made works.
The classloader call a php document with the password and username.
The pass and name will be checked inside a databse and if its inside i use
header() to load the jar file.

But when i just go to my main domain i get the index of the site and people can easly download the jar file without have to walk thru the php pass checker.
So i want to place the jar file inside a protected folder,and i want that only way you get acces to this jar is by the php file. How can i get a file from a protected folder?

here is the php used when the jar file is not inside a protected folder:

PHP Code:

<?php

    $DBName = "name";//name database        
    $DBUser = "name";//user        
    $DBPassword = "pass"; //passs
    $DBHost = "host"; //might be different
             
    mysql_connect($DBHost, $DBUser, $DBPassword);
        mysql_select_db($DBName);

        $username = $_GET['username'];
        $password = $_GET['password'];

    $IP = $_SERVER['REMOTE_ADDR'];
        
    $string = "Java";
    $pos = strpos($agent, $string);    
    if (!strpos($_SERVER['HTTP_USER_AGENT'], "Java")) 
    {        
        echo("Your Auth has been banned for trying to breach security.");        
        //mysql_query("delete from users where username='$username'");
        exit();    
    }

    $query = "select * from users where name='$username' and pass='$password'";
        mysql_query($query);
        $num = mysql_affected_rows();
    if ($num > 0) 
    {
        header('Location:script/Script.jar');
    }

?>

now i want to use the header to a file inside a folder that is protected :



so how can i make the header() methode to open script.jar inside a protected folder.
The folder haves name and pass: blabla,balbla for exempel

thx for help

[grace1004]

I don't understand that people get index of your site. As far as you place index.php or index.html
file (main page file) directly in your public_html directory, people cannot see the index of your site.

I think there's no way to get access files in a protected folder. It's better to make a new folder
with 755 permission, and move files for downloading into this new folder. Please make sure not to
publicize new folder name, so that only logged in users can download the files.

[grace1004]

In case of .txt files if you use header('Location: '), logged in users can see the full path for
accessing the file. If all downloaded files are .jar files, your code is OK. But if any .txt file
is included in the download list, to prevent logged in users tell later the full path to others,
it's better to change your code as shown below, and make download.php file so that only
logged in users can download the file without seeing the full path.

PHP Code:

$query = "select * from users where name='$username' and pass='$password'"; 
        mysql_query($query); 
        $num = mysql_affected_rows(); 
    if ($num > 0)  
    { 
    $_SESSION['username'] = $row['name']; //Set session variable to be used in download.php
    header('Location:download.php'); 
    } 


download.php file
=================

PHP Code:

<?php
session_start();

if($_SESSION['username']) {

$file = 'new folder_name/Script.jar';

    if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
    exit;
    }

} else {
  echo 'You can download after login<br />';
  echo ("<meta http-equiv='Refresh' content='1; URL=login.php'>");
}
?>