Re: [PHP] Download Script - Newbie Alert
You can also check $HTTP_REFERER, it's much simpler Marek Clay Loveless wrote: Something else along these lines -- I really, really wish that more sites that use this method would test across multiple browsers and platforms. I agree with everything John is saying regarding testing access/permissions -- I've used this technique many times myself. However, if a user with Internet Explorer on Mac OS X clicks this link: www.domain.dom/file.php?id=23 They'll wind up with a file on their desktop called file.php. Not every browser pays close enough attention to the filename in the Content-Disposition header. Solution? www.domain.com/file.php/23/docname.xls I believe this will run file.php, which can then pull in the $PATH_INFO to determine what file is being requested, check session permissions, etc., can then spit out the right headers as John suggests, AND users will definitely wind up with a downloaded file called docname.xls. If your pages are dynamically generated, you can even do tricks like this to thwart external linking: ?php $bootLeech = date(U) / 2; echo a href=\http://www.domain.com/file.php/23/$bootLeech/docname.xls;download/a ; ? Then in your file.php script, do the following: - explode $PATH_INFO on / - check the $bootLeach array position with the same calculation ... Where you can allow a plus/minus error tolerance of 10 minutes. We use this trick on http://www.imagescentral.com ... Kids frequently want to build Geocities sites that leech all our images. Our image file URLs work *just* long enough for them to build their pages, and test that they look good. 30 hours later, all the leeched images are replaced with Images Central logos. : ) Fun! -Clay From: John Holmes [EMAIL PROTECTED] Organization: U.S. Army Reply-To: [EMAIL PROTECTED] Date: Mon, 3 Jun 2002 20:06:42 -0400 To: 'Philip Hess' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: [PHP] Download Script - Newbie Alert Store the files above your web root and use a PHP script to control access. Use header to set the appropriate header for the file, header(Content-Type: application/vnd.ms-excel; name='excel'); header(Content-Disposition: attachment; filename= . $filename . .xls); then use passthru() to send the contents of the file. Use a path for passthru that's above the web root. The key to this though, is to do some checking with PHP to make sure the person is authorized to download the file. Simply doing the above will still allow someone to link directly to file.php?id=23 or whatever, and get the contents. Start a session on another page, the one before the download, and then check for the session in this page, before you send the file. If the session doesn't exist (or a certain variable within it) then don't send the file. ---John Holmes... -Original Message- From: Philip Hess [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 6:09 PM To: [EMAIL PROTECTED] Subject: [PHP] Download Script - Newbie Alert Hello, I would like to allow visitors to my site to download documents created with MS office and .PDF files as well. In order to prevent linking from other sites I'd like to make or modify a script that hides the actual location of the files. A pointer in the right direction would be most appreciated. Thanks --- Philip Hess - Pittsburgh, PA USA - Computer Teacher E-mail: pjh_at_zoominternet.net Phil's Place (my web site) http://phil.mav.net/ PA School District Database: http://phil.mav.net/district.hts --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Download Script - Newbie Alert
That can be spoofed, though, and not all browsers set it, and will not stop anyone from just typing in the URL... http://www.example.com/files/mydoc.doc ---John Holmes... -Original Message- From: Marek Kilimajer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 3:58 AM To: PHP Subject: Re: [PHP] Download Script - Newbie Alert You can also check $HTTP_REFERER, it's much simpler Marek Clay Loveless wrote: Something else along these lines -- I really, really wish that more sites that use this method would test across multiple browsers and platforms. I agree with everything John is saying regarding testing access/permissions -- I've used this technique many times myself. However, if a user with Internet Explorer on Mac OS X clicks this link: www.domain.dom/file.php?id=23 They'll wind up with a file on their desktop called file.php. Not every browser pays close enough attention to the filename in the Content-Disposition header. Solution? www.domain.com/file.php/23/docname.xls I believe this will run file.php, which can then pull in the $PATH_INFO to determine what file is being requested, check session permissions, etc., can then spit out the right headers as John suggests, AND users will definitely wind up with a downloaded file called docname.xls. If your pages are dynamically generated, you can even do tricks like this to thwart external linking: ?php $bootLeech = date(U) / 2; echo a href=\http://www.domain.com/file.php/23/$bootLeech/docname.xls;downlo ad /a ; ? Then in your file.php script, do the following: - explode $PATH_INFO on / - check the $bootLeach array position with the same calculation ... Where you can allow a plus/minus error tolerance of 10 minutes. We use this trick on http://www.imagescentral.com ... Kids frequently want to build Geocities sites that leech all our images. Our image file URLs work *just* long enough for them to build their pages, and test that they look good. 30 hours later, all the leeched images are replaced with Images Central logos. : ) Fun! -Clay From: John Holmes [EMAIL PROTECTED] Organization: U.S. Army Reply-To: [EMAIL PROTECTED] Date: Mon, 3 Jun 2002 20:06:42 -0400 To: 'Philip Hess' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: [PHP] Download Script - Newbie Alert Store the files above your web root and use a PHP script to control access. Use header to set the appropriate header for the file, header(Content-Type: application/vnd.ms-excel; name='excel'); header(Content-Disposition: attachment; filename= . $filename . .xls); then use passthru() to send the contents of the file. Use a path for passthru that's above the web root. The key to this though, is to do some checking with PHP to make sure the person is authorized to download the file. Simply doing the above will still allow someone to link directly to file.php?id=23 or whatever, and get the contents. Start a session on another page, the one before the download, and then check for the session in this page, before you send the file. If the session doesn't exist (or a certain variable within it) then don't send the file. ---John Holmes... -Original Message- From: Philip Hess [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 6:09 PM To: [EMAIL PROTECTED] Subject: [PHP] Download Script - Newbie Alert Hello, I would like to allow visitors to my site to download documents created with MS office and .PDF files as well. In order to prevent linking from other sites I'd like to make or modify a script that hides the actual location of the files. A pointer in the right direction would be most appreciated. Thanks --- Philip Hess - Pittsburgh, PA USA - Computer Teacher E-mail: pjh_at_zoominternet.net Phil's Place (my web site) http://phil.mav.net/ PA School District Database: http://phil.mav.net/district.hts --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Download Script - Newbie Alert
Hello, I would like to allow visitors to my site to download documents created with MS office and .PDF files as well. In order to prevent linking from other sites I'd like to make or modify a script that hides the actual location of the files. A pointer in the right direction would be most appreciated. Thanks --- Philip Hess - Pittsburgh, PA USA - Computer Teacher E-mail: pjh_at_zoominternet.net Phil's Place (my web site) http://phil.mav.net/ PA School District Database: http://phil.mav.net/district.hts --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Download Script - Newbie Alert
Store the files above your web root and use a PHP script to control access. Use header to set the appropriate header for the file, header(Content-Type: application/vnd.ms-excel; name='excel'); header(Content-Disposition: attachment; filename= . $filename . .xls); then use passthru() to send the contents of the file. Use a path for passthru that's above the web root. The key to this though, is to do some checking with PHP to make sure the person is authorized to download the file. Simply doing the above will still allow someone to link directly to file.php?id=23 or whatever, and get the contents. Start a session on another page, the one before the download, and then check for the session in this page, before you send the file. If the session doesn't exist (or a certain variable within it) then don't send the file. ---John Holmes... -Original Message- From: Philip Hess [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 6:09 PM To: [EMAIL PROTECTED] Subject: [PHP] Download Script - Newbie Alert Hello, I would like to allow visitors to my site to download documents created with MS office and .PDF files as well. In order to prevent linking from other sites I'd like to make or modify a script that hides the actual location of the files. A pointer in the right direction would be most appreciated. Thanks --- Philip Hess - Pittsburgh, PA USA - Computer Teacher E-mail: pjh_at_zoominternet.net Phil's Place (my web site) http://phil.mav.net/ PA School District Database: http://phil.mav.net/district.hts --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Download Script - Newbie Alert
Something else along these lines -- I really, really wish that more sites that use this method would test across multiple browsers and platforms. I agree with everything John is saying regarding testing access/permissions -- I've used this technique many times myself. However, if a user with Internet Explorer on Mac OS X clicks this link: www.domain.dom/file.php?id=23 They'll wind up with a file on their desktop called file.php. Not every browser pays close enough attention to the filename in the Content-Disposition header. Solution? www.domain.com/file.php/23/docname.xls I believe this will run file.php, which can then pull in the $PATH_INFO to determine what file is being requested, check session permissions, etc., can then spit out the right headers as John suggests, AND users will definitely wind up with a downloaded file called docname.xls. If your pages are dynamically generated, you can even do tricks like this to thwart external linking: ?php $bootLeech = date(U) / 2; echo a href=\http://www.domain.com/file.php/23/$bootLeech/docname.xls;download/a ; ? Then in your file.php script, do the following: - explode $PATH_INFO on / - check the $bootLeach array position with the same calculation ... Where you can allow a plus/minus error tolerance of 10 minutes. We use this trick on http://www.imagescentral.com ... Kids frequently want to build Geocities sites that leech all our images. Our image file URLs work *just* long enough for them to build their pages, and test that they look good. 30 hours later, all the leeched images are replaced with Images Central logos. : ) Fun! -Clay From: John Holmes [EMAIL PROTECTED] Organization: U.S. Army Reply-To: [EMAIL PROTECTED] Date: Mon, 3 Jun 2002 20:06:42 -0400 To: 'Philip Hess' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: [PHP] Download Script - Newbie Alert Store the files above your web root and use a PHP script to control access. Use header to set the appropriate header for the file, header(Content-Type: application/vnd.ms-excel; name='excel'); header(Content-Disposition: attachment; filename= . $filename . .xls); then use passthru() to send the contents of the file. Use a path for passthru that's above the web root. The key to this though, is to do some checking with PHP to make sure the person is authorized to download the file. Simply doing the above will still allow someone to link directly to file.php?id=23 or whatever, and get the contents. Start a session on another page, the one before the download, and then check for the session in this page, before you send the file. If the session doesn't exist (or a certain variable within it) then don't send the file. ---John Holmes... -Original Message- From: Philip Hess [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 6:09 PM To: [EMAIL PROTECTED] Subject: [PHP] Download Script - Newbie Alert Hello, I would like to allow visitors to my site to download documents created with MS office and .PDF files as well. In order to prevent linking from other sites I'd like to make or modify a script that hides the actual location of the files. A pointer in the right direction would be most appreciated. Thanks --- Philip Hess - Pittsburgh, PA USA - Computer Teacher E-mail: pjh_at_zoominternet.net Phil's Place (my web site) http://phil.mav.net/ PA School District Database: http://phil.mav.net/district.hts --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php