php-general Digest 8 Jul 2012 19:14:30 -0000 Issue 7880
Topics (messages 318409 through 318410):
Re: [PHP-DEV] SQLite - Unwanted values using group-by
318409 by: Matijn Woudt
Re: How to make a secure download ?
318410 by: tamouse mailing lists
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On Sun, Jul 8, 2012 at 12:07 AM, Simon Schick <simonsimc...@gmail.com> wrote:
> Hi, All
>
> May you have an idea ...
>
> Here's the full code-example:
> http://viper-7.com/M5mldG
>
> I have the following SQL command:
>
> SELECT max(r.month+r.year*100), r.year, r.month
> FROM base b LEFT JOIN remote r ON b.id = r.remote_id
> GROUP BY r.remote_id
>
> Now I expect that the first column in the results should look like a
> combination of the second and third one .. so f.e. this:
> array(3) { ["max(r.month+r.year*100)"]=> string(6) "201201" ["year"]=>
> string(4) "2012" ["month"]=> string(2) "01" }
>
> But instead I get this result:
> array(3) { ["max(r.month+r.year*100)"]=> string(6) "201201" ["year"]=>
> string(4) "2011" ["month"]=> string(2) "12" }
Both of the results are valid outcomes. I think you don't understand
the GROUP BY clause well enough. The parameters in the SELECT clause,
should be either
1) an aggregate function (like the max function you're using)
2) one of the parameters in the GROUP BY clause.
If not one of the above, it will return 'random' values for r.month
and r.year. (probably the first it finds, which might differ in your
test cases)
- Matijn
- Matijn
--- End Message ---
--- Begin Message ---
On Thu, Jul 5, 2012 at 10:17 AM, Gibbs <li...@danielgibbs.net> wrote:
> On 05/07/12 14:32, donkfat...@donkfather.eu wrote:
>>
>> Hi,
>>
>> I am trying to put a file to download. I want it secure so only the people
>> having the password can access it.
>> I made a page that requires a password.. if the password is correct it
>> changes the password send it on my mail and redirects
>> the user to another script. This script searches in the database for the
>> id given with GET and finds the name of the file
>> which is md5(something). it changes the name of the file in md5(smth
>> else). After that it searches in the download folder
>> for a file named md5(smth else). if it finds the file it gives you the
>> link to the file.
>> So i need to find a way to change the filename after the user downloads
>> the file. to keep it secure so the user
>> wont be able to share the link to oters.
>>
>> if you need more info ask :D
>> thanks
>> and sorry for my bad english .
>>
>
> Sounds like you are overcomplicating it. Following what you've already done
> though...
>
> Have the original files stored somewhere outside of the web root. That way
> they aren't accessible whatsoever + you shouldn't have to change any of the
> files at any stage.
>
> Then you can simply update/change the ID that associates with it in your
> database when that URL is hit...
>
> Gibbs
It does sound a bit complicated. If I surmise correctly, what you are
attempting to do is give an authorized person the ability download a
file from your server by sending them a link to it in an email. Right
so far?
If so, here's what I suggest doing:
1) Store your downloadable content in a directory *outside of the web
server file space* (as Daniel mentioned above).
2) Keep a table of authorized people -> file download tokens, and file
download tokens -> download file spec. (You might want to also include
a back-reference for the latter so you can keep stats on files
downloaded.)
3) Write a special script that only handles downloads, not part of
your regular application.
4) When the authorized person requests the download, create a token
and store it in the data base, linking it to the person's info and the
download file spec, and send the person an email with a link to the
URL invoking the special script with token.
5) When the person clicks the link, have your script mark the token as
"used" (so it can't be used again -- or optionally keep it around and
possibly do something like record the number of downloads, ip
addresses, date/time, and so on -- can be useful also for given
someone, say, 5 legal downloads and then shutting it off).
6) Then matching the token to the file spec, deliver the contents,
appropriately setting headers as per the file contents.
--- End Message ---
