[snip] > If you put the file you send somewhere out of the document root, the > download location can't even be reverse-engineered. This script is the > only way to get that file.
That's the key, right there. Combining that with sessions will make it so that only people with the appropriate session will be able to access the download script. Keeping it outside of the web root will make it so no one can just type in the URL to the file. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php