Nitsan Bin-Nun wrote:
On Sat, May 30, 2009 at 3:26 PM, Michael A. Peters <mpet...@mac.com <mailto:mpet...@mac.com>> wrote:


    Nitsan Bin-Nun wrote:

        Hi

        I have wrote a file uploader in PHP, and I don't want people to
        hijack it
        (get direct links, download whenever they want, etc).

        Currently I have placed the uploaded files one directory up from
        the www
        root, and I'm hosting the files mime type in order to serve them
        on the fly.

        I'm trying to think how should I secure this website, I don't
        want people to
        get direct links,etc.

        Currently the links are being check with the $_SERVER['refer']
        variables and
        it being compared to the one in my config file.

        Any ideas will be very appreciated! Thanks!


        By the way, does this file serving feature takes a lot of load
        from the
        server? if so then what are the other options? can I serve these
        files w/o
        PHP involved? lets say only by some sort of apache module or
        anything like
        that?


    What I do -

    Files for restricted access are outside the web root.
    php wrapper script verifies the credentials of user to download the
    file (IE via a post token, session ID, etc.) and if allowed, it then
    sends the real file.

    I use mod_rewrite (apache) to send requests for the real file to the
    php wrapper script so that the linked file has the same name as the
    real file (lets me use the same wrapper for lots of different files).

    As far as load on the server, no - I don't think it costs a lot as
    far as system resources.



Thank you for the fast answer.

I'm doing the same regarding the php wrapper layer, but the thing is that I just don't know what verification exams should I do in the php wrapping layer.
I'm not sure what is the way that it should be done.

I check the referrer, assuming no other credential is required, if it is from an approved site or not sent (some people disable sending the http_referrer in their browser), I allow it. Otherwise I don't.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to