RE: [PHP] Download Script - Newbie Alert
That can be spoofed, though, and not all browsers set it, and will not stop anyone from just typing in the URL... http://www.example.com/files/mydoc.doc ---John Holmes... > -Original Message- > From: Marek Kilimajer [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 04, 2002 3:58 AM > To: PHP > Subject: Re: [PHP] Download Script - Newbie Alert > > You can also check $HTTP_REFERER, it's much simpler > > Marek > > Clay Loveless wrote: > > >Something else along these lines -- I really, really wish that more sites > >that use this method would test across multiple browsers and platforms. > > > >I agree with everything John is saying regarding testing > access/permissions > >-- I've used this technique many times myself. > > > >However, if a user with Internet Explorer on Mac OS X clicks this link: > > > >www.domain.dom/file.php?id=23 > > > >They'll wind up with a file on their desktop called "file.php". > > > >Not every browser pays close enough attention to the "filename" in the > >Content-Disposition header. > > > >Solution? > > > >www.domain.com/file.php/23/docname.xls > > > >I believe this will run file.php, which can then pull in the $PATH_INFO > to > >determine what file is being requested, check session permissions, etc., > can > >then spit out the right headers as John suggests, AND users will > definitely > >wind up with a downloaded file called "docname.xls". > > > >If your pages are dynamically generated, you can even do tricks like this > to > >thwart external linking: > > > > >$bootLeech = date("U") / 2; > >echo " >href=\"http://www.domain.com/file.php/23/$bootLeech/docname.xls";>downlo ad > > > > > >>"; > >> > >> > >?> > > > >Then in your file.php script, do the following: > >- explode $PATH_INFO on "/" > >- check the $bootLeach array position with the same calculation ... > >Where you can allow a plus/minus error tolerance of 10 minutes. > > > > > >We use this trick on http://www.imagescentral.com ... Kids frequently > want > >to build Geocities sites that leech all our images. Our image file URLs > work > >*just* long enough for them to build their pages, and test that they look > >good. > > > >30 hours later, all the leeched images are replaced with Images Central > >logos. : ) > > > >Fun! > > > >-Clay > > > > > > > > > > > >>From: "John Holmes" <[EMAIL PROTECTED]> > >>Organization: U.S. Army > >>Reply-To: <[EMAIL PROTECTED]> > >>Date: Mon, 3 Jun 2002 20:06:42 -0400 > >>To: "'Philip Hess'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > >>Subject: RE: [PHP] Download Script - Newbie Alert > >> > >>Store the files above your web root and use a PHP script to control > >>access. > >> > >>Use header to set the appropriate header for the file, > >> > >>header("Content-Type: application/vnd.ms-excel; name='excel'"); > >>header("Content-Disposition: attachment; filename=" . $filename . > >>".xls"); > >> > >>then use passthru() to send the contents of the file. Use a path for > >>passthru that's above the web root. > >> > >>The key to this though, is to do some checking with PHP to make sure the > >>person is authorized to download the file. Simply doing the above will > >>still allow someone to link directly to file.php?id=23 or whatever, and > >>get the contents. > >> > >>Start a session on another page, the one before the download, and then > >>check for the session in this page, before you send the file. If the > >>session doesn't exist (or a certain variable within it) then don't send > >>the file. > >> > >>---John Holmes... > >> > >> > >> > >>>-Original Message- > >>>From: Philip Hess [mailto:[EMAIL PROTECTED]] > >>>Sent: Monday, June 03, 2002 6:09 PM > >>>To: [EMAIL PROTECTED] > >>>Subject: [PHP] Download Script - Newbie Alert > >>> > >>>Hello, > >>> > >>>I would like to allow visitors to my site to download documents > >>> > >>> > >>created > >> > >> > >>>with MS office and
Re: [PHP] Download Script - Newbie Alert
You can also check $HTTP_REFERER, it's much simpler Marek Clay Loveless wrote: >Something else along these lines -- I really, really wish that more sites >that use this method would test across multiple browsers and platforms. > >I agree with everything John is saying regarding testing access/permissions >-- I've used this technique many times myself. > >However, if a user with Internet Explorer on Mac OS X clicks this link: > >www.domain.dom/file.php?id=23 > >They'll wind up with a file on their desktop called "file.php". > >Not every browser pays close enough attention to the "filename" in the >Content-Disposition header. > >Solution? > >www.domain.com/file.php/23/docname.xls > >I believe this will run file.php, which can then pull in the $PATH_INFO to >determine what file is being requested, check session permissions, etc., can >then spit out the right headers as John suggests, AND users will definitely >wind up with a downloaded file called "docname.xls". > >If your pages are dynamically generated, you can even do tricks like this to >thwart external linking: > >$bootLeech = date("U") / 2; >echo "href=\"http://www.domain.com/file.php/23/$bootLeech/docname.xls";>download > >>"; >> >> >?> > >Then in your file.php script, do the following: >- explode $PATH_INFO on "/" >- check the $bootLeach array position with the same calculation ... >Where you can allow a plus/minus error tolerance of 10 minutes. > > >We use this trick on http://www.imagescentral.com ... Kids frequently want >to build Geocities sites that leech all our images. Our image file URLs work >*just* long enough for them to build their pages, and test that they look >good. > >30 hours later, all the leeched images are replaced with Images Central >logos. : ) > >Fun! > >-Clay > > > > > >>From: "John Holmes" <[EMAIL PROTECTED]> >>Organization: U.S. Army >>Reply-To: <[EMAIL PROTECTED]> >>Date: Mon, 3 Jun 2002 20:06:42 -0400 >>To: "'Philip Hess'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> >>Subject: RE: [PHP] Download Script - Newbie Alert >> >>Store the files above your web root and use a PHP script to control >>access. >> >>Use header to set the appropriate header for the file, >> >>header("Content-Type: application/vnd.ms-excel; name='excel'"); >>header("Content-Disposition: attachment; filename=" . $filename . >>".xls"); >> >>then use passthru() to send the contents of the file. Use a path for >>passthru that's above the web root. >> >>The key to this though, is to do some checking with PHP to make sure the >>person is authorized to download the file. Simply doing the above will >>still allow someone to link directly to file.php?id=23 or whatever, and >>get the contents. >> >>Start a session on another page, the one before the download, and then >>check for the session in this page, before you send the file. If the >>session doesn't exist (or a certain variable within it) then don't send >>the file. >> >>---John Holmes... >> >> >> >>>-Original Message- >>>From: Philip Hess [mailto:[EMAIL PROTECTED]] >>>Sent: Monday, June 03, 2002 6:09 PM >>>To: [EMAIL PROTECTED] >>>Subject: [PHP] Download Script - Newbie Alert >>> >>>Hello, >>> >>>I would like to allow visitors to my site to download documents >>> >>> >>created >> >> >>>with MS office and .PDF files as well. In order to prevent linking >>> >>> >>from >> >> >>>other sites I'd like to make or modify a script that hides the actual >>>location of the files. >>> >>>A pointer in the right direction would be most appreciated. >>> >>>Thanks >>>--- >>>Philip Hess - Pittsburgh, PA USA - Computer Teacher >>>E-mail: pjh_at_zoominternet.net >>>Phil's Place (my web site) http://phil.mav.net/ >>>PA School District Database: http://phil.mav.net/district.hts >>>--- >>> >>> >>>-- >>>PHP General Mailing List (http://www.php.net/) >>>To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> >>-- >>PHP General Mailing List (http://www.php.net/) >>To unsubscribe, visit: http://www.php.net/unsub.php >> >> >> > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Download Script - Newbie Alert
Something else along these lines -- I really, really wish that more sites that use this method would test across multiple browsers and platforms. I agree with everything John is saying regarding testing access/permissions -- I've used this technique many times myself. However, if a user with Internet Explorer on Mac OS X clicks this link: www.domain.dom/file.php?id=23 They'll wind up with a file on their desktop called "file.php". Not every browser pays close enough attention to the "filename" in the Content-Disposition header. Solution? www.domain.com/file.php/23/docname.xls I believe this will run file.php, which can then pull in the $PATH_INFO to determine what file is being requested, check session permissions, etc., can then spit out the right headers as John suggests, AND users will definitely wind up with a downloaded file called "docname.xls". If your pages are dynamically generated, you can even do tricks like this to thwart external linking: http://www.domain.com/file.php/23/$bootLeech/docname.xls";>download"; ?> Then in your file.php script, do the following: - explode $PATH_INFO on "/" - check the $bootLeach array position with the same calculation ... Where you can allow a plus/minus error tolerance of 10 minutes. We use this trick on http://www.imagescentral.com ... Kids frequently want to build Geocities sites that leech all our images. Our image file URLs work *just* long enough for them to build their pages, and test that they look good. 30 hours later, all the leeched images are replaced with Images Central logos. : ) Fun! -Clay > From: "John Holmes" <[EMAIL PROTECTED]> > Organization: U.S. Army > Reply-To: <[EMAIL PROTECTED]> > Date: Mon, 3 Jun 2002 20:06:42 -0400 > To: "'Philip Hess'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > Subject: RE: [PHP] Download Script - Newbie Alert > > Store the files above your web root and use a PHP script to control > access. > > Use header to set the appropriate header for the file, > > header("Content-Type: application/vnd.ms-excel; name='excel'"); > header("Content-Disposition: attachment; filename=" . $filename . > ".xls"); > > then use passthru() to send the contents of the file. Use a path for > passthru that's above the web root. > > The key to this though, is to do some checking with PHP to make sure the > person is authorized to download the file. Simply doing the above will > still allow someone to link directly to file.php?id=23 or whatever, and > get the contents. > > Start a session on another page, the one before the download, and then > check for the session in this page, before you send the file. If the > session doesn't exist (or a certain variable within it) then don't send > the file. > > ---John Holmes... > >> -Original Message- >> From: Philip Hess [mailto:[EMAIL PROTECTED]] >> Sent: Monday, June 03, 2002 6:09 PM >> To: [EMAIL PROTECTED] >> Subject: [PHP] Download Script - Newbie Alert >> >> Hello, >> >> I would like to allow visitors to my site to download documents > created >> with MS office and .PDF files as well. In order to prevent linking > from >> other sites I'd like to make or modify a script that hides the actual >> location of the files. >> >> A pointer in the right direction would be most appreciated. >> >> Thanks >> --- >> Philip Hess - Pittsburgh, PA USA - Computer Teacher >> E-mail: pjh_at_zoominternet.net >> Phil's Place (my web site) http://phil.mav.net/ >> PA School District Database: http://phil.mav.net/district.hts >> --- >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Download Script - Newbie Alert
Store the files above your web root and use a PHP script to control access. Use header to set the appropriate header for the file, header("Content-Type: application/vnd.ms-excel; name='excel'"); header("Content-Disposition: attachment; filename=" . $filename . ".xls"); then use passthru() to send the contents of the file. Use a path for passthru that's above the web root. The key to this though, is to do some checking with PHP to make sure the person is authorized to download the file. Simply doing the above will still allow someone to link directly to file.php?id=23 or whatever, and get the contents. Start a session on another page, the one before the download, and then check for the session in this page, before you send the file. If the session doesn't exist (or a certain variable within it) then don't send the file. ---John Holmes... > -Original Message- > From: Philip Hess [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 03, 2002 6:09 PM > To: [EMAIL PROTECTED] > Subject: [PHP] Download Script - Newbie Alert > > Hello, > > I would like to allow visitors to my site to download documents created > with MS office and .PDF files as well. In order to prevent linking from > other sites I'd like to make or modify a script that hides the actual > location of the files. > > A pointer in the right direction would be most appreciated. > > Thanks > --- > Philip Hess - Pittsburgh, PA USA - Computer Teacher > E-mail: pjh_at_zoominternet.net > Phil's Place (my web site) http://phil.mav.net/ > PA School District Database: http://phil.mav.net/district.hts > --- > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php