Trap for the referral page in the callFile.php page.

Allow the proper referral page to pass (could be multiple pages if you
choose) but if the users modify the URL of the GET the referral page will be
blank or perhaps more precise the referrer var will be empty and
nonexistent.

Do a phpinfo and look for the var:

 _SERVER["HTTP_REFERER"]

this will allow them to try to modify the url and you will know who is
attempting it  --  if you'd care to know that info.

Mark Cain



----- Original Message -----
From: "mel list_php" <[EMAIL PROTECTED]>
To: <php-db@lists.php.net>
Sent: Monday, April 11, 2005 5:59 AM
Subject: [PHP-DB] using POST data for a readfile


> Hi list,
> (mail problem you may get that one twice!)
>
> My problem: I protect my files by storing them out of the web root or
behind
> a htaccess.
> As I'm not using the htaccess authentication for my users, I use a
readfile
> to serve the file, basically something like:
>
> <a href='callFile.php?id=test.pdf'>File to serve</a>
>
> and in the script callFile something like
readfile(./protectedDir/test.pdf).
> this works fine, but I just would like to use a post instead of a get, to
> avoid my users trying to modify the url.
>
> I tried to use a function in the callFile script, something like:
>
> function getFile ($fileId)   {
>
> readfile($fileId);
>
> }
>
> if (isset($_POST['fileId']))
> {
> $fileId=$_POST['fileId'];
> getFile($fileId);
> }
>
> but it doesn't work.
> I also tried to do a require_once (callFile.php) and then later on call
the
> getFile function from the first script but no more success.
>
> Does anybody has any idea on how to do that?
>
> Thanks,
> Melanie
>
> _________________________________________________________________
> Want to block unwanted pop-ups? Download the free MSN Toolbar now!
> http://toolbar.msn.co.uk/
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to