|
|
Posted by Dan Trainor on 10/20/43 11:30
Ben wrote:
> Dan Trainor said the following on 10/27/2005 01:34 PM:
>
>> Ben wrote:
>>
>>> Move the files outside the document root so that they aren't available
>>> via a direct URL, then create a 'file access page' in php that will
>>> check for the session variable and either send or not send the file
>>> based on whether the user has access.
>>>
>>> - Ben
>>>
>>
>>
>> Ben -
>>
>> I knew this, but it was the "send or not send" thing that I was
>> concerned about ;)
>
>
> Sounds like you need to have a look here:
> http://ca3.php.net/manual/en/ref.filesystem.php
>
> and specifically here:
> http://ca3.php.net/manual/en/function.fpassthru.php
>
> and so you can set the proper headers:
> http://ca3.php.net/manual/en/function.filetype.php
>
> The on-line manual is your friend :-).
>
> Also, you will want to be _very_ careful about ensuring that the file
> you are sending is in fact the file you want to be sending (ie
> /etc/passwd would be a no-no).
>
> - Ben
>
Ben -
Yes, I've been playing with passthru() today, and it's quite
interesting. I think it's going to work. I made a little pass-through
(pardon the pun) scriupt to do exactly what I'm looking for.
I've already started working on a set of sanity checks and such for the
requested files to prevent such malicious activity.
I want to thank you all again for your help.
Thanks!
-dant
Navigation:
[Reply to this message]
|