You can also check $HTTP_REFERER, it's much simpler
Marek
Clay Loveless wrote:
>Something else along these lines -- I really, really wish that more sites
>that use this method would test across multiple browsers and platforms.
>
>I agree with everything John is saying regarding testing access/permissions
>-- I've used this technique many times myself.
>
>However, if a user with Internet Explorer on Mac OS X clicks this link:
>
> www.domain.dom/file.php?id=23
>
>They'll wind up with a file on their desktop called "file.php".
>
>Not every browser pays close enough attention to the "filename" in the
>Content-Disposition header.
>
>Solution?
>
> www.domain.com/file.php/23/docname.xls
>
>I believe this will run file.php, which can then pull in the $PATH_INFO to
>determine what file is being requested, check session permissions, etc., can
>then spit out the right headers as John suggests, AND users will definitely
>wind up with a downloaded file called "docname.xls".
>
>If your pages are dynamically generated, you can even do tricks like this to
>thwart external linking:
>
><?php
> $bootLeech = date("U") / 2;
> echo "<a
>href=\"http://www.domain.com/file.php/23/$bootLeech/docname.xls";>download</a
>
>
>>";
>>
>>
>?>
>
>Then in your file.php script, do the following:
> - explode $PATH_INFO on "/"
> - check the $bootLeach array position with the same calculation ...
>Where you can allow a plus/minus error tolerance of 10 minutes.
>
>
>We use this trick on http://www.imagescentral.com ... Kids frequently want
>to build Geocities sites that leech all our images. Our image file URLs work
>*just* long enough for them to build their pages, and test that they look
>good.
>
>30 hours later, all the leeched images are replaced with Images Central
>logos. : )
>
>Fun!
>
>-Clay
>
>
>
>
>
>>From: "John Holmes" <[EMAIL PROTECTED]>
>>Organization: U.S. Army
>>Reply-To: <[EMAIL PROTECTED]>
>>Date: Mon, 3 Jun 2002 20:06:42 -0400
>>To: "'Philip Hess'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
>>Subject: RE: [PHP] Download Script - Newbie Alert
>>
>>Store the files above your web root and use a PHP script to control
>>access.
>>
>>Use header to set the appropriate header for the file,
>>
>>header("Content-Type: application/vnd.ms-excel; name='excel'");
>>header("Content-Disposition: attachment; filename=" . $filename .
>>".xls");
>>
>>then use passthru() to send the contents of the file. Use a path for
>>passthru that's above the web root.
>>
>>The key to this though, is to do some checking with PHP to make sure the
>>person is authorized to download the file. Simply doing the above will
>>still allow someone to link directly to file.php?id=23 or whatever, and
>>get the contents.
>>
>>Start a session on another page, the one before the download, and then
>>check for the session in this page, before you send the file. If the
>>session doesn't exist (or a certain variable within it) then don't send
>>the file.
>>
>>---John Holmes...
>>
>>
>>
>>>-----Original Message-----
>>>From: Philip Hess [mailto:[EMAIL PROTECTED]]
>>>Sent: Monday, June 03, 2002 6:09 PM
>>>To: [EMAIL PROTECTED]
>>>Subject: [PHP] Download Script - Newbie Alert
>>>
>>>Hello,
>>>
>>>I would like to allow visitors to my site to download documents
>>>
>>>
>>created
>>
>>
>>>with MS office and .PDF files as well. In order to prevent linking
>>>
>>>
>>from
>>
>>
>>>other sites I'd like to make or modify a script that hides the actual
>>>location of the files.
>>>
>>>A pointer in the right direction would be most appreciated.
>>>
>>>Thanks
>>>---------------------------------------------------------------
>>>Philip Hess - Pittsburgh, PA USA - Computer Teacher
>>>E-mail: pjh_at_zoominternet.net
>>>Phil's Place (my web site) http://phil.mav.net/
>>>PA School District Database: http://phil.mav.net/district.hts
>>>---------------------------------------------------------------
>>>
>>>
>>>--
>>>PHP General Mailing List (http://www.php.net/)
>>>To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>>
>>--
>>PHP General Mailing List (http://www.php.net/)
>>To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>>
>
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
