I ran into a similar problem and came up with a slightly different
solution...
As an alternative to passing the file directly through PHP, if you
are running apache, you could DENY access to all files in a directory
and then use PHP to dynamically update a local .htaccess file with
valid sessions and use something like mod_security or a simple cookie/
query_string check to see if the requested file has a valid session.
Then apache would handle the download as normal so users could use
whatever download mechanism they want.
- jeff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeffrey Sambells
Director of Research and Development
Zend Certified Engineer (ZCE)
We-Create Inc.
[EMAIL PROTECTED] email
519.745.7374 office
519.897.2552 mobile
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get Mozilla Firefox at
http://spreadfirefox.com
On 27-Oct-05, at 5:45 PM, Dan Trainor wrote:
Ben wrote:
Dan Trainor said the following on 10/27/2005 01:34 PM:
Ben wrote:
Move the files outside the document root so that they aren't
available
via a direct URL, then create a 'file access page' in php that will
check for the session variable and either send or not send the file
based on whether the user has access.
- Ben
Ben -
I knew this, but it was the "send or not send" thing that I was
concerned about ;)
Sounds like you need to have a look here:
http://ca3.php.net/manual/en/ref.filesystem.php
and specifically here:
http://ca3.php.net/manual/en/function.fpassthru.php
and so you can set the proper headers:
http://ca3.php.net/manual/en/function.filetype.php
The on-line manual is your friend :-).
Also, you will want to be _very_ careful about ensuring that the file
you are sending is in fact the file you want to be sending (ie
/etc/passwd would be a no-no).
- Ben
Ben -
Yes, I've been playing with passthru() today, and it's quite
interesting. I think it's going to work. I made a little pass-
through
(pardon the pun) scriupt to do exactly what I'm looking for.
I've already started working on a set of sanity checks and such for
the
requested files to prevent such malicious activity.
I want to thank you all again for your help.
Thanks!
-dant
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
