RE: [PHP] Restrict file access from web users?

2002-11-10 Thread James Taylor
Thank you sir, problem solved :)

-Original Message-
From: Justin French [mailto:justin@;indent.com.au]
Sent: Sunday, November 10, 2002 11:21 PM
To: James Taylor; [EMAIL PROTECTED]
Subject: Re: [PHP] Restrict file access from web users?


You still need to restrict the files from being served directly over http...
this can be done via a .htaccess, or just stored outside the document root.

Then, you create a script called download.php, which INSN'T a html page --
it sets a content header, and passes a .zip file through itself to the user.

Start by reading this article:
http://www.zend.com/zend/trick/tricks-august-2001.php


Cheers,

Justin





on 11/11/02 4:10 PM, James Taylor ([EMAIL PROTECTED]) wrote:

> Ok, I have something like this set up:
>
> 1. User logs into site.  Authenticates through a mysql table which
basically
> just has username/password columns. Session is set.
>
> 2. User goes through site looking for information he'd like to purchase
> based on specific fields.  After the gathering of information is done, a
> script dumps the text into a CSV file and zips it.
>
> 3. The user then downloads the zip.
>
> What I can't figure out though, is in step number 3 - How do I secure
this?
> The filenames are randomly generated, but if someone felt like saving a
few
> bucks, they could write a program to try and brute force the guessing of
> filenames.  I need to somehow have an .htaccess type system, WITHOUT
> .htaccess since the usernames are all just in a standard MySQL table.  Any
> suggestions?  Store the file in a table blob? I can't really think of
> anything.  Thanks for your help.
>

Justin French

Creative Director
http://Indent.com.au
Web Developent &
Graphic Design



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Restrict file access from web users?

2002-11-10 Thread Justin French
You still need to restrict the files from being served directly over http...
this can be done via a .htaccess, or just stored outside the document root.

Then, you create a script called download.php, which INSN'T a html page --
it sets a content header, and passes a .zip file through itself to the user.

Start by reading this article:
http://www.zend.com/zend/trick/tricks-august-2001.php


Cheers,

Justin





on 11/11/02 4:10 PM, James Taylor ([EMAIL PROTECTED]) wrote:

> Ok, I have something like this set up:
> 
> 1. User logs into site.  Authenticates through a mysql table which basically
> just has username/password columns. Session is set.
> 
> 2. User goes through site looking for information he'd like to purchase
> based on specific fields.  After the gathering of information is done, a
> script dumps the text into a CSV file and zips it.
> 
> 3. The user then downloads the zip.
> 
> What I can't figure out though, is in step number 3 - How do I secure this?
> The filenames are randomly generated, but if someone felt like saving a few
> bucks, they could write a program to try and brute force the guessing of
> filenames.  I need to somehow have an .htaccess type system, WITHOUT
> .htaccess since the usernames are all just in a standard MySQL table.  Any
> suggestions?  Store the file in a table blob? I can't really think of
> anything.  Thanks for your help.
> 

Justin French

Creative Director
http://Indent.com.au
Web Developent & 
Graphic Design



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Restrict file access from web users?

2002-11-10 Thread Jason Wong
On Monday 11 November 2002 14:10, James Taylor wrote:
> Ok, I have something like this set up:
>
> 1. User logs into site.  Authenticates through a mysql table which
> basically just has username/password columns. Session is set.
>
> 2. User goes through site looking for information he'd like to purchase
> based on specific fields.  After the gathering of information is done, a
> script dumps the text into a CSV file and zips it.
>
> 3. The user then downloads the zip.
>
> What I can't figure out though, is in step number 3 - How do I secure this?
> The filenames are randomly generated, but if someone felt like saving a few
> bucks, they could write a program to try and brute force the guessing of
> filenames.  I need to somehow have an .htaccess type system, WITHOUT
> .htaccess since the usernames are all just in a standard MySQL table.  Any
> suggestions?  Store the file in a table blob? I can't really think of
> anything.  Thanks for your help.

Try searching archives? It's been covered many times before and there are a 
load of good info in the archives. Start with the keywords as per your 
subject "Restrict file access". 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php