Something else along these lines -- I really, really wish that more sites
that use this method would test across multiple browsers and platforms.

I agree with everything John is saying regarding testing access/permissions
-- I've used this technique many times myself.

However, if a user with Internet Explorer on Mac OS X clicks this link:


They'll wind up with a file on their desktop called "file.php".

Not every browser pays close enough attention to the "filename" in the
Content-Disposition header.


I believe this will run file.php, which can then pull in the $PATH_INFO to
determine what file is being requested, check session permissions, etc., can
then spit out the right headers as John suggests, AND users will definitely
wind up with a downloaded file called "docname.xls".

If your pages are dynamically generated, you can even do tricks like this to
thwart external linking:

    $bootLeech = date("U") / 2;
    echo "<a 

Then in your file.php script, do the following:
    - explode $PATH_INFO on "/"
    - check the $bootLeach array position with the same calculation ...
Where you can allow a plus/minus error tolerance of 10 minutes.

We use this trick on ... Kids frequently want
to build Geocities sites that leech all our images. Our image file URLs work
*just* long enough for them to build their pages, and test that they look

30 hours later, all the leeched images are replaced with Images Central
logos. : )




> From: "John Holmes" <[EMAIL PROTECTED]>
> Organization: U.S. Army
> Date: Mon, 3 Jun 2002 20:06:42 -0400
> To: "'Philip Hess'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> Subject: RE: [PHP] Download Script - Newbie Alert
> Store the files above your web root and use a PHP script to control
> access. 
> Use header to set the appropriate header for the file,
> header("Content-Type: application/; name='excel'");
> header("Content-Disposition: attachment; filename=" . $filename .
> ".xls");
> then use passthru() to send the contents of the file. Use a path for
> passthru that's above the web root.
> The key to this though, is to do some checking with PHP to make sure the
> person is authorized to download the file. Simply doing the above will
> still allow someone to link directly to file.php?id=23 or whatever, and
> get the contents.
> Start a session on another page, the one before the download, and then
> check for the session in this page, before you send the file. If the
> session doesn't exist (or a certain variable within it) then don't send
> the file.
> ---John Holmes...
>> -----Original Message-----
>> From: Philip Hess [mailto:[EMAIL PROTECTED]]
>> Sent: Monday, June 03, 2002 6:09 PM
>> Subject: [PHP] Download Script - Newbie Alert
>> Hello,
>> I would like to allow visitors to my site to download documents
> created
>> with MS office and .PDF files as well. In order to prevent linking
> from
>> other sites I'd like to make or modify a script that hides the actual
>> location of the files.
>> A pointer in the right direction would be most appreciated.
>> Thanks
>> ---------------------------------------------------------------
>> Philip Hess - Pittsburgh, PA USA - Computer Teacher
>> E-mail:
>> Phil's Place (my web site)
>> PA School District Database:
>> ---------------------------------------------------------------
>> --
>> PHP General Mailing List (
>> To unsubscribe, visit:
> -- 
> PHP General Mailing List (
> To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to