Nitsan Bin-Nun wrote:



On Sat, May 30, 2009 at 7:02 PM, Ashley Sheridan <a...@ashleysheridan.co.uk <mailto:a...@ashleysheridan.co.uk>> wrote:

    On Sat, 2009-05-30 at 17:54 +0200, Nitsan Bin-Nun wrote:
     > That's the verification that my layer does. I'm not sure whether
    that's
     > enough or not.
     >
     > On Sat, May 30, 2009 at 4:43 PM, Michael A. Peters
    <mpet...@mac.com <mailto:mpet...@mac.com>> wrote:
     >
     > > Nitsan Bin-Nun wrote:
     > >
     > >  On Sat, May 30, 2009 at 3:26 PM, Michael A. Peters
    <mpet...@mac.com <mailto:mpet...@mac.com><mailto:
     > >> mpet...@mac.com <mailto:mpet...@mac.com>>> wrote:
     > >>
     > >>    Nitsan Bin-Nun wrote:
     > >>
     > >>        Hi
     > >>
     > >>        I have wrote a file uploader in PHP, and I don't want
    people to
     > >>        hijack it
     > >>        (get direct links, download whenever they want, etc).
     > >>
     > >>        Currently I have placed the uploaded files one
    directory up from
     > >>        the www
     > >>        root, and I'm hosting the files mime type in order to
    serve them
     > >>        on the fly.
     > >>
     > >>        I'm trying to think how should I secure this website, I
    don't
     > >>        want people to
     > >>        get direct links,etc.
     > >>
     > >>        Currently the links are being check with the
    $_SERVER['refer']
     > >>        variables and
     > >>        it being compared to the one in my config file.
     > >>
     > >>        Any ideas will be very appreciated! Thanks!
     > >>
     > >>
     > >>        By the way, does this file serving feature takes a lot
    of load
     > >>        from the
     > >>        server? if so then what are the other options? can I
    serve these
     > >>        files w/o
     > >>        PHP involved? lets say only by some sort of apache
    module or
     > >>        anything like
     > >>        that?
     > >>
     > >>
     > >>    What I do -
     > >>
     > >>    Files for restricted access are outside the web root.
     > >>    php wrapper script verifies the credentials of user to
    download the
     > >>    file (IE via a post token, session ID, etc.) and if
    allowed, it then
     > >>    sends the real file.
     > >>
     > >>    I use mod_rewrite (apache) to send requests for the real
    file to the
     > >>    php wrapper script so that the linked file has the same
    name as the
     > >>    real file (lets me use the same wrapper for lots of
    different files).
     > >>
     > >>    As far as load on the server, no - I don't think it costs a
    lot as
     > >>    far as system resources.
     > >>
     > >>
     > >>
     > >> Thank you for the fast answer.
     > >>
     > >> I'm doing the same regarding the php wrapper layer, but the
    thing is that
     > >> I just don't know what verification exams should I do in the
    php wrapping
     > >> layer.
     > >> I'm not sure what is the way that it should be done.
     > >>
     > >
     > > I check the referrer, assuming no other credential is required,
    if it is
     > > from an approved site or not sent (some people disable sending the
     > > http_referrer in their browser), I allow it. Otherwise I don't.
     > >
    That should be fine for downloading files. There will be an issue if
    they are media files and you want to play them from a browser plugin, as
    no plugin I've ever seen actually passes the referrer header.


    Ash
    www.ashleysheridan.co.uk <http://www.ashleysheridan.co.uk>



I'm sending downloading headers, there will be no options of playing it from the browser's plugin. Thank you both for your comments. I have decided that referrer check is enough for now :)

Nitsan


If you really want to be sure, you can use session variables with a download wrapper.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to