I have a password protected application where I use PHP to pull a selected client's information from a mySql database and create a FDF file to pre-populate the pdf with the client data. The user can modify and save this data on the form if they want. All of this works great, however, I would like to move my forms out of the website's root directory to prevent unauthorized access of the forms by someone typing in the direct url to the form.
I can successfully serve blank, unfilled pdfs from a folder outside the root by buffering it on the server and doing a readfile(). The problem comes with the PDFs I want to pre-fill with FDF data. I can create the fdf and store it outside the root but when I try to output it, Reader opens and says it can not find the PDF. I can not give an absolute URL to the PDF in the FDF since it is out of the root directory. I tried storing my PDFs in the same directory as my FDFs thinking that it would look there by default, but that does not work either.
Is there a way to reference the pdf in the fdf if the pdf is outside the root directory? (Everything I am seeing so far tells me this is not possible...)
I don't want to password protect the directory or the individual forms because the user already has to log in to get to the application.
If there is no way to store the fdf/pdf outside the root directory is there a way to add a "hidden" password to the pdf that I can pre-fill via the fdf if I keep my forms inside a website's public directory? That way legitimate users would not be prompted for a password, but someone trying to backdoor my forms would need to enter a password.
I don't know much about scripting inside a pdf so is there is a better/any way to secure my forms??
Thanks
PDF/FDF outside website root directory
2011-01-12 13:46:04
My Product Information:
Reader 9.3, Unix/Linux
Reader 9.3, Unix/Linux
2011-01-12 16:26:29
#1
You can set it to whatever you want. Why don't you just set it to point to the location of the PDF?
2011-01-12 20:49:02
#2
Thanks for your reply, but it doesn't appear that I can set the file location for the PDF to a directory outside the website's public directories. I would like to store my forms outside the websites public directories so no one can directly access the pdf via a url.
If it is outside the website's public directory there is not an absolute url because it is "above" the www (public files) directory. From the documentation and my testing it appears that relative urls will not work. e.g. /F ("../dir-outside-root/my.pdf") because of the way the form is served with the data, but I am wondering if I am missing something.
If I have to keep my PDFs that use FDF data in the website's root is there a way to prevent someone from opening a form by typing the url for it - other than password protecting the pdf and making the user type in a password each time?
If it is outside the website's public directory there is not an absolute url because it is "above" the www (public files) directory. From the documentation and my testing it appears that relative urls will not work. e.g. /F ("../dir-outside-root/my.pdf") because of the way the form is served with the data, but I am wondering if I am missing something.
If I have to keep my PDFs that use FDF data in the website's root is there a way to prevent someone from opening a form by typing the url for it - other than password protecting the pdf and making the user type in a password each time?
2011-01-13 01:02:06
#3
I see I misunderstood what you were asking. The PDF does have to reside in your web server space somewhere if you're using a static PDF and expecting the PDF+FDF merge to take place on the client.
An alternative is to do the merging server-side and serving up the filled PDF. You'd have to use something like Appligent's FDFMerge to do the server-side merging of the PDF and FDF, and return the resulting PDF.
An alternative is to do the merging server-side and serving up the filled PDF. You'd have to use something like Appligent's FDFMerge to do the server-side merging of the PDF and FDF, and return the resulting PDF.
2011-01-13 10:56:45
#4
Thanks for bearing with me on this. This is starting to make me crazy. I checked FDFMerge but unless there is NO other way, I really don't want to spend $1000-$2000 just to prevent unauthorized access of the handful of PDF+FDFs on my site. I have all my forms doing everything I need them to do, I just want to secure them a little more. (I have several ways I can secure my "plain" PDFs - only the PDF+FDFs are the problem.)
1) My original idea of storing the files outside the root directory won't work for PDF+FDFs.
2) I have tried locking them down via .htaccess by allowing only access to the pdfs from my domain. That does not work because the fdf is downloaded to the client so when it tries to open the pdf it doesn't look like it is originating from my site so it prevents access.
3)I considered certificates, but my program is a subscription web-based application. A majority of my users are not the most tech-savvy and asking them to install certificates would frighten them and make them cry, plus I want to keep the application basically turn-key with minimal setup for the user.
4) I don't want to password protect the PDFs where the user would have to enter a password each time because the user already has to log in and that would be really annoying.
Is there a way insert some scripting into the pdf that executes on the pdf open request that would allow me to kick out users that were not legitimate?
Does anyone have any ideas for a free or low cost way to secure PDF+FDFs? Is there a cheaper alternative to FDFMerge that doesn't flatten all the form fields? Someone has to have run into this before. I can't be the only cheap person out there.
I will appreciate any help you can offer.
1) My original idea of storing the files outside the root directory won't work for PDF+FDFs.
2) I have tried locking them down via .htaccess by allowing only access to the pdfs from my domain. That does not work because the fdf is downloaded to the client so when it tries to open the pdf it doesn't look like it is originating from my site so it prevents access.
3)I considered certificates, but my program is a subscription web-based application. A majority of my users are not the most tech-savvy and asking them to install certificates would frighten them and make them cry, plus I want to keep the application basically turn-key with minimal setup for the user.
4) I don't want to password protect the PDFs where the user would have to enter a password each time because the user already has to log in and that would be really annoying.
Is there a way insert some scripting into the pdf that executes on the pdf open request that would allow me to kick out users that were not legitimate?
Does anyone have any ideas for a free or low cost way to secure PDF+FDFs? Is there a cheaper alternative to FDFMerge that doesn't flatten all the form fields? Someone has to have run into this before. I can't be the only cheap person out there.
I will appreciate any help you can offer.