Nitsan Bin-Nun wrote:
On Sat, May 30, 2009 at 7:02 PM, Ashley Sheridan
<a...@ashleysheridan.co.uk <mailto:a...@ashleysheridan.co.uk>> wrote:
On Sat, 2009-05-30 at 17:54 +0200, Nitsan Bin-Nun wrote:
> That's the verification that my layer does. I'm not sure whether
> enough or not.
> On Sat, May 30, 2009 at 4:43 PM, Michael A. Peters
<mpet...@mac.com <mailto:mpet...@mac.com>> wrote:
> > Nitsan Bin-Nun wrote:
> > On Sat, May 30, 2009 at 3:26 PM, Michael A. Peters
> >> mpet...@mac.com <mailto:mpet...@mac.com>>> wrote:
> >> Nitsan Bin-Nun wrote:
> >> Hi
> >> I have wrote a file uploader in PHP, and I don't want
> >> hijack it
> >> (get direct links, download whenever they want, etc).
> >> Currently I have placed the uploaded files one
directory up from
> >> the www
> >> root, and I'm hosting the files mime type in order to
> >> on the fly.
> >> I'm trying to think how should I secure this website, I
> >> want people to
> >> get direct links,etc.
> >> Currently the links are being check with the
> >> variables and
> >> it being compared to the one in my config file.
> >> Any ideas will be very appreciated! Thanks!
> >> By the way, does this file serving feature takes a lot
> >> from the
> >> server? if so then what are the other options? can I
> >> files w/o
> >> PHP involved? lets say only by some sort of apache
> >> anything like
> >> that?
> >> What I do -
> >> Files for restricted access are outside the web root.
> >> php wrapper script verifies the credentials of user to
> >> file (IE via a post token, session ID, etc.) and if
allowed, it then
> >> sends the real file.
> >> I use mod_rewrite (apache) to send requests for the real
file to the
> >> php wrapper script so that the linked file has the same
name as the
> >> real file (lets me use the same wrapper for lots of
> >> As far as load on the server, no - I don't think it costs a
> >> far as system resources.
> >> Thank you for the fast answer.
> >> I'm doing the same regarding the php wrapper layer, but the
thing is that
> >> I just don't know what verification exams should I do in the
> >> layer.
> >> I'm not sure what is the way that it should be done.
> > I check the referrer, assuming no other credential is required,
if it is
> > from an approved site or not sent (some people disable sending the
> > http_referrer in their browser), I allow it. Otherwise I don't.
That should be fine for downloading files. There will be an issue if
they are media files and you want to play them from a browser plugin, as
no plugin I've ever seen actually passes the referrer header.
I'm sending downloading headers, there will be no options of playing it
from the browser's plugin.
Thank you both for your comments. I have decided that referrer check is
enough for now :)
If you really want to be sure, you can use session variables with a
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php