Mark Cain wrote:
Trap for the referral page in the callFile.php page.

Allow the proper referral page to pass (could be multiple pages if you
choose) but if the users modify the URL of the GET the referral page will be
blank or perhaps more precise the referrer var will be empty and
nonexistent.

Do a phpinfo and look for the var:

 _SERVER["HTTP_REFERER"]

this will allow them to try to modify the url and you will know who is
attempting it  --  if you'd care to know that info.

Mark Cain



----- Original Message -----
From: "mel list_php" <[EMAIL PROTECTED]>
To: <php-db@lists.php.net>
Sent: Monday, April 11, 2005 5:59 AM
Subject: [PHP-DB] using POST data for a readfile



Hi list,
(mail problem you may get that one twice!)

My problem: I protect my files by storing them out of the web root or

behind

a htaccess.
As I'm not using the htaccess authentication for my users, I use a

readfile

to serve the file, basically something like:

<a href='callFile.php?id=test.pdf'>File to serve</a>

and in the script callFile something like

readfile(./protectedDir/test.pdf).

this works fine, but I just would like to use a post instead of a get, to
avoid my users trying to modify the url.

I tried to use a function in the callFile script, something like:

function getFile ($fileId)   {

readfile($fileId);

}

if (isset($_POST['fileId']))
{
$fileId=$_POST['fileId'];
getFile($fileId);
}

but it doesn't work.
I also tried to do a require_once (callFile.php) and then later on call

the

getFile function from the first script but no more success.

Does anybody has any idea on how to do that?

Thanks,
Melanie

As long as you don't get a significant number of users who set up their browser not to send referer information or have privacy software installed that performs that same function. (The web developer bar in Firefox has a disable referer option. Not sure what other extensions might.)


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to