|
Posted by J.O. Aho on 01/12/06 07:04
ryan wrote:
> Hi. I am new to all of this and have been searching in vain. I
> understand that to protect files such as .pdf files from people just
> making a direct link to place these outside the web root. This would
> allow those authorized to the webpages and that are logged in could.
>
> I am so confused with getting there however. I subscribe to a web
> host. there is a www folder so if i make a file above this, place the
> pdfs for download here. from there i am confused. do i add the
> various scripts im finding to the actual page that has the link or does
> the link link to the page with the sole script that causes the file to
> open?
If you have a home directory (example uses standard *nix file tree, where your
username is "username")
/home/username
In here you have you www directory
/home/username/www
Everything inside the www will be accessible
everything that in your home directory, but not in your www aren't accessible,
so we could make a new directory for your pdf files
/home/username/pdf
Say we setup your site, with login pages and all the stuff you need and you
have your download.php in your www directory
/home/username/www/download.php
It could look something like this:
<?PHP
/* Code for checking that the user is really logged in */
/* hasn't been included here, but we assume it's here */
/* We get an argument to the download.php, which is f */
/* and it is the name of the file, we remove all .. */
/* from the file name just in case someone tries to */
/* access a file that they shouldn't access */
$file_name="/home/username/pdf/".ereg_replace("..","",$_REQUEST['f']);
/* Lets see if there is a such file */
if(is_file($file_name)) {
/* There is a such file, lets pass it to the user */
$fp = fopen($file_name, 'rb');
/* Send the right headers */
header("Content-Type: application/pdf");
header("Content-Length: " . filesize($file_name));
/* We send the file, close the fp and exit the script */
fpassthru($fp);
fclose($fp);
exit;
} else {
/* Sorry, there is no such file */
/* type some sorry file missing message, we give the */
/* filename they requested instead of the one we used */
/* so they won't know that we did prevent them from */
/* accessing files they don't have access to */
echo "Sorry, can't find a file".$_REQUEST['f'];
}
?>
It's not more difficult than that really.
//Aho
Navigation:
[Reply to this message]
|