On Sat, May 30, 2009 at 3:26 PM, Michael A. Peters <mpet...@mac.com> wrote:
> Nitsan Bin-Nun wrote: > >> Hi >> >> I have wrote a file uploader in PHP, and I don't want people to hijack it >> (get direct links, download whenever they want, etc). >> >> Currently I have placed the uploaded files one directory up from the www >> root, and I'm hosting the files mime type in order to serve them on the >> fly. >> >> I'm trying to think how should I secure this website, I don't want people >> to >> get direct links,etc. >> >> Currently the links are being check with the $_SERVER['refer'] variables >> and >> it being compared to the one in my config file. >> >> Any ideas will be very appreciated! Thanks! >> >> >> By the way, does this file serving feature takes a lot of load from the >> server? if so then what are the other options? can I serve these files w/o >> PHP involved? lets say only by some sort of apache module or anything like >> that? >> >> > What I do - > > Files for restricted access are outside the web root. > php wrapper script verifies the credentials of user to download the file > (IE via a post token, session ID, etc.) and if allowed, it then sends the > real file. > > I use mod_rewrite (apache) to send requests for the real file to the php > wrapper script so that the linked file has the same name as the real file > (lets me use the same wrapper for lots of different files). > > As far as load on the server, no - I don't think it costs a lot as far as > system resources. > Thank you for the fast answer. I'm doing the same regarding the php wrapper layer, but the thing is that I just don't know what verification exams should I do in the php wrapping layer. I'm not sure what is the way that it should be done.