Something else along these lines -- I really, really wish that more sites that use this method would test across multiple browsers and platforms.
I agree with everything John is saying regarding testing access/permissions -- I've used this technique many times myself. However, if a user with Internet Explorer on Mac OS X clicks this link: www.domain.dom/file.php?id=23 They'll wind up with a file on their desktop called "file.php". Not every browser pays close enough attention to the "filename" in the Content-Disposition header. Solution? www.domain.com/file.php/23/docname.xls I believe this will run file.php, which can then pull in the $PATH_INFO to determine what file is being requested, check session permissions, etc., can then spit out the right headers as John suggests, AND users will definitely wind up with a downloaded file called "docname.xls". If your pages are dynamically generated, you can even do tricks like this to thwart external linking: <?php $bootLeech = date("U") / 2; echo "<a href=\"http://www.domain.com/file.php/23/$bootLeech/docname.xls">download</a >"; ?> Then in your file.php script, do the following: - explode $PATH_INFO on "/" - check the $bootLeach array position with the same calculation ... Where you can allow a plus/minus error tolerance of 10 minutes. We use this trick on http://www.imagescentral.com ... Kids frequently want to build Geocities sites that leech all our images. Our image file URLs work *just* long enough for them to build their pages, and test that they look good. 30 hours later, all the leeched images are replaced with Images Central logos. : ) Fun! -Clay > From: "John Holmes" <[EMAIL PROTECTED]> > Organization: U.S. Army > Reply-To: <[EMAIL PROTECTED]> > Date: Mon, 3 Jun 2002 20:06:42 -0400 > To: "'Philip Hess'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > Subject: RE: [PHP] Download Script - Newbie Alert > > Store the files above your web root and use a PHP script to control > access. > > Use header to set the appropriate header for the file, > > header("Content-Type: application/vnd.ms-excel; name='excel'"); > header("Content-Disposition: attachment; filename=" . $filename . > ".xls"); > > then use passthru() to send the contents of the file. Use a path for > passthru that's above the web root. > > The key to this though, is to do some checking with PHP to make sure the > person is authorized to download the file. Simply doing the above will > still allow someone to link directly to file.php?id=23 or whatever, and > get the contents. > > Start a session on another page, the one before the download, and then > check for the session in this page, before you send the file. If the > session doesn't exist (or a certain variable within it) then don't send > the file. > > ---John Holmes... > >> -----Original Message----- >> From: Philip Hess [mailto:[EMAIL PROTECTED]] >> Sent: Monday, June 03, 2002 6:09 PM >> To: [EMAIL PROTECTED] >> Subject: [PHP] Download Script - Newbie Alert >> >> Hello, >> >> I would like to allow visitors to my site to download documents > created >> with MS office and .PDF files as well. In order to prevent linking > from >> other sites I'd like to make or modify a script that hides the actual >> location of the files. >> >> A pointer in the right direction would be most appreciated. >> >> Thanks >> --------------------------------------------------------------- >> Philip Hess - Pittsburgh, PA USA - Computer Teacher >> E-mail: pjh_at_zoominternet.net >> Phil's Place (my web site) http://phil.mav.net/ >> PA School District Database: http://phil.mav.net/district.hts >> --------------------------------------------------------------- >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php