Store your files outside of the webroot if you use this method. Then they can't type in the address directly (otherwise this doesn't fix anything).
---John Holmes... > -----Original Message----- > From: Miguel Cruz [mailto:[EMAIL PROTECTED]] > Sent: Saturday, May 11, 2002 2:23 AM > To: PHP-General > Subject: Re: [PHP] protecting downloads with php > > On Sat, 11 May 2002, Nick Wilson wrote: > > I've been asked to protect an area containing 'course material' (pdf's > > etc) and have just thought of a gaping hole in what I've done. > > > > I use an class to handle all the auth stuff and each page checks the > > value of $obj->logged_in :: No problem. > > > > but what if someone links to www.thesite/theProtectedArea/file.tar.gz > > > > that file cannot check if the downloader is logged in can it. > > download.php: > > <? > > if (userIsAuthorized) > { > header('Content-Type: application/x-gzip'); > readfile('secret-name-of-file.tar.gz'); > exit; > } > else > { > print 'You are not authorized to download this file.'; > } > > ?> > > Season to taste with GET arguments such as an ID number or other hash > identifying which file to send. > > miguel > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
