|
Posted by Gordon Burditt on 06/01/06 05:28
>Your solution totally makes sense. Once I know the user is logged in, I
>determine what is his file name. Then I open a file stream to that
>file, and using fpassthru() spit it out.
You do this in a .php file which as far as the user is concerned
*is* the pdf file. And you can put in as many security checks
as you like before delivering the file.
>I can totally see how to implement this. However, I was wondering if
>there is a PHP function that takes a file name (located on the server)
*OUTSIDE THE DOCUMENT TREE*
>as input, and pops up a window with the PDF file in it.
It's not that hard to do using a combination of fopen(), fpassthru(),
(inside the script I suggested) and outputting some HTML that points
at the script I suggested.
>Or even prompts
If you want to pop up a window, that requires HTML. Or Javascript,
which is Turned Off(tm). And as far as I know, either requires a
URL for what to put *in* the window. That's where the script I
suggested comes in. I consider popping up a window to be obnoxious
behavior so I don't remember how to do it.
>the user to save the file. This way, there is no URL in the story. And
>hence, no privacy issues.
The URL to the PHP script I suggested gives the user his *own* pdf
file. It's like the "View my Statement" link on my bank's website.
It's the same link for every user (but delivers different info),
and it gives an error message to those not logged in. Publish it
to the world: if your login system has decent security, it's not
a problem. If your login system does not have decent security,
you're in deep trouble anyway.
Since the .pdf files for individual users are outside the document
tree, you can make those paths public, too, since nobody can
access them. Nobody will see the paths when they access the
files in the normal way. However, making the paths public provides
a specific target for someone hacking your system or sending you
a virus, so I suggest not making them public. There's no innocent
use of those paths directly by users anyway.
>Gordon Burditt wrote:
>> >I have a link on my web page. When clicked, opens up a pdf file that is
>> >stored on my server. Every file is specific to a user's user name and I
>> >don't want users to see each other's files.
>> >For example:
>> >When User1 clicks on the link, it opens up
>> >http://mydomain.com/files/user1.pdf
>> >and when User2 clicks on the link, it opens up
>> >http://mydomain.com/files/user2.pdf.
>> >
>> >So, if User1 knows about User2, he can see User2's pdf file.
>> >
>> >How can I make the file open up in a different window without the file
>> >path in the address bar?
>>
>> Make sure that there is *NO* URL that can be used to obtain
>> the file for a user unless the person is logged in as that user.
>> Provide one URL that can be used by a user to get their own file.
>>
>> Write a PHP script, say, pdf.php, which does the following:
>>
>> 1. Determines if the user is logged in, if not, rejects the request.
>> 2. Opens the .pdf file (located *outside* the web server document root)
>> for the logged in user, using the username as part of the path
>> name somehow. Or, it could generate the pdf file on the fly.
>> 3. Outputs a content-type header for a pdf file.
>> 4. Calls fpassthru() on the file opened in #2.
>>
>> The user clicks on a link to pdf.php, and they get *their* pdf file.
>>
>> Gordon L. Burditt
>
[Back to original message]
|