Posted by Dan Trainor on 10/02/64 11:30

Ben wrote:
> Dan Trainor said the following on 10/27/2005 10:39 AM:
>
>> Jason Motes wrote:
>
>
>>>> However, how do people protect against the downloading of real files,
>>>> ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I
>>>> want to protect access to these as well, and if a visitor just types in
>>>> a URL and is able to access the file because my access control
>>>> mechanism
>>>> simply doesn't work on those types of files, what should be the
>>>> solution
>>>> here?
>
>
> <snip>
>
>> I'd like to keep the application as portable as possible; thus, I cannot
>> use any kind of htaccess hackery because I want this PHP application to
>> run on IIS, as well.
>
>
> Move the files outside the document root so that they aren't available
> via a direct URL, then create a 'file access page' in php that will
> check for the session variable and either send or not send the file
> based on whether the user has access.
>
> - Ben
>

Ben -

I knew this, but it was the "send or not send" thing that I was
concerned about ;)

Thanks
-dant

[Back to original message]