files for individual users

I am going to be starting a project for my boss. What he wants is an area on the company website that clients can go and download there reports. I was thinking that the best way to do this, since every clients information is confidential, would be to create a user authentication system based on a mysql table holding their usernames and passwords. In addition to that I would create many other tables, one table for each company and their reports. Thus having a one to many relationship. I do not know if I should md5() the passwords? Or if the one to many relationship is a good idea? Moreover the files would be in PDF format and would have to either be stored in the tables or as i have heard it is possible, to put them in a directory which is password protected and link to them from the tables in the database, but i do not know what that means. I could really use some advice from the Gurus out there.

Thanks.

bump

- Yes, or any other means of encryption.

As for the one to many DB design - I would really have to see the whole DB design to give an opinion.

Something to also keep in mind - PHP can generate pdf files dynamically fro the reports.

Reference:
http://www.php.net/manual/en/ref.pdf.php

Definitely use md5() or sha1().

Encryption is good, but one-way message digest is better. (md5/sha1)

I wouldn't use a table for each client, surely you can just use one table called "users" with fields like:
"user_id,client_id,user_name,date_added,email,etc.. ."
Then you have a table called clients like:
"client_id,date_added,client_name,job_specs,main_em ail,etc.."
And a table for all the files:
"file_id,client_id,file_name"

Then, to display all the files for a client you can use something like:


The best way to allow users to download files is either to stream the files out from a PHP file. That way the URL of the file will read something like "download.php" instead of "files/reports/report2.pdf", that way people won't know where the file is located.

But of course that isn't enough just to hide a file.
I think (but haven't tested) putting a .htaccess file in the files folder and in it only allowing access to the files from the local address.
Something like:
Deny:all
Allow:127.0.0.1

That probably isn't valid because I haven't used many .htaccess files.

So, in theory because your "download.php" file will be reading the file from the server and streaming it to the user, I think that the .htaccess will allow it, but will stop users accessing it directly.

Hope that helps, and hope it works. If you need the download streaming page then you can e-mail me. DavidDoranMedia[AT]gmail.com

-SW

Hey thanks a lot man, that is a great explanation. As to help with streaming the files, i will try and get back to you if i get stuck.
Cheers