I ran into a similar problem and came up with a slightly different solution...

As an alternative to passing the file directly through PHP, if you are running apache, you could DENY access to all files in a directory and then use PHP to dynamically update a local .htaccess file with valid sessions and use something like mod_security or a simple cookie/ query_string check to see if the requested file has a valid session. Then apache would handle the download as normal so users could use whatever download mechanism they want.

- jeff

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeffrey Sambells
Director of Research and Development
Zend Certified Engineer (ZCE)

We-Create Inc.
[EMAIL PROTECTED] email
519.745.7374 office
519.897.2552 mobile

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get Mozilla Firefox at
http://spreadfirefox.com

On 27-Oct-05, at 5:45 PM, Dan Trainor wrote:

Ben wrote:

Dan Trainor said the following on 10/27/2005 01:34 PM:


Ben wrote:


Move the files outside the document root so that they aren't available
via a direct URL, then create a 'file access page' in php that will
check for the session variable and either send or not send the file
based on whether the user has access.

- Ben




Ben -

I knew this, but it was the "send or not send" thing that I was
concerned about ;)



Sounds like you need to have a look here:
http://ca3.php.net/manual/en/ref.filesystem.php

and specifically here:
http://ca3.php.net/manual/en/function.fpassthru.php

and so you can set the proper headers:
http://ca3.php.net/manual/en/function.filetype.php

The on-line manual is your friend :-).

Also, you will want to be _very_ careful about ensuring that the file
you are sending is in fact the file you want to be sending (ie
/etc/passwd would be a no-no).

- Ben



Ben -

Yes, I've been playing with passthru() today, and it's quite
interesting. I think it's going to work. I made a little pass- through
(pardon the pun) scriupt to do exactly what I'm looking for.

I've already started working on a set of sanity checks and such for the
requested files to prevent such malicious activity.

I want to thank you all again for your help.

Thanks!
-dant

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to