On Sat, May 30, 2009 at 3:26 PM, Michael A. Peters <mpet...@mac.com> wrote:

> Nitsan Bin-Nun wrote:
>> Hi
>> I have wrote a file uploader in PHP, and I don't want people to hijack it
>> (get direct links, download whenever they want, etc).
>> Currently I have placed the uploaded files one directory up from the www
>> root, and I'm hosting the files mime type in order to serve them on the
>> fly.
>> I'm trying to think how should I secure this website, I don't want people
>> to
>> get direct links,etc.
>> Currently the links are being check with the $_SERVER['refer'] variables
>> and
>> it being compared to the one in my config file.
>> Any ideas will be very appreciated! Thanks!
>> By the way, does this file serving feature takes a lot of load from the
>> server? if so then what are the other options? can I serve these files w/o
>> PHP involved? lets say only by some sort of apache module or anything like
>> that?
> What I do -
> Files for restricted access are outside the web root.
> php wrapper script verifies the credentials of user to download the file
> (IE via a post token, session ID, etc.) and if allowed, it then sends the
> real file.
> I use mod_rewrite (apache) to send requests for the real file to the php
> wrapper script so that the linked file has the same name as the real file
> (lets me use the same wrapper for lots of different files).
> As far as load on the server, no - I don't think it costs a lot as far as
> system resources.

Thank you for the fast answer.

I'm doing the same regarding the php wrapper layer, but the thing is that I
just don't know what verification exams should I do in the php wrapping
I'm not sure what is the way that it should be done.

Reply via email to