I hadn't considered that before. Thank you. :-)
The reason why though is that Mac OS X comes with permissions set by default
so that Apache can't wander outside of the publicly accessible folder
(~/Sites/). The script that I have written is something that I intend to
distribute to other Mac users and I would rather not reduce the security
that they already have preset on their machines as part of installing my
script as I think that would deter people from adopting it. Do you have any
other suggestions? :-/
On 02/15/03 11:50 AM, "Marco Tabini" <[EMAIL PROTECTED]> wrote:
>
> Yes--but you need to make the image inaccessible to the outside (simply
> put them in a folder that can't be seen from the web).
>
> Here's an example. Suppose you have a script called page.php that needs
> an image called img.jpg. Instead of calling img.jpg, you call another
> script, serveimage.php as follows:
>
> <img src="serveimage.php?img=img.jpg">
>
> Now, in serveimage.php you do this:
>
> <?php
>
> $img = $_GET['img'];
>
> // First, check that the user is not trying to trick us
> // into revealing a file that we shouldn't reveal.
> // Note: this is a *very* simplistic approach--you will probably
> // want to add your own
>
> if (substr ($img, '/'))
> die('Invalid file name');
>
> // Now, check if the user has permission to this file. You don't
> // explain how you do this, so I'll leave this to an external
> // function called check_permission ($file) that returns true if the
> // user is able to see that file and false otherwise
>
> if (check_permission ($img))
> {
> // Tell the browser this is an image
> // Note, you will probably have to change this depending
> // on the file type
>
> header ('Content-type: img/jpg');
> readfile ($img);
> }
> else
> die ("Unauthorized access");
>
> ?>
>
> Essentially, what I'm doing is I'm replacing a file with a script that
> first checks the permissions and then, if the user is authorized,
> outputs the file to the browser. This way, if the user is not authorized
> to download a file, it will be blocked. Obviously, the files themselves
> should be inaccessible to the web *except* through your scripts.
>
> Hope it's a bit clearer now!
>
> Cheers,
>
>
> Marco
-m^2
__________
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!
__________
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
