Reply to Re: protecting files by putting outside web root

Your name:

Reply:


Posted by J.O. Aho on 01/12/06 07:04

ryan wrote:
> Hi. I am new to all of this and have been searching in vain. I
> understand that to protect files such as .pdf files from people just
> making a direct link to place these outside the web root. This would
> allow those authorized to the webpages and that are logged in could.
>
> I am so confused with getting there however. I subscribe to a web
> host. there is a www folder so if i make a file above this, place the
> pdfs for download here. from there i am confused. do i add the
> various scripts im finding to the actual page that has the link or does
> the link link to the page with the sole script that causes the file to
> open?

If you have a home directory (example uses standard *nix file tree, where your
username is "username")

/home/username

In here you have you www directory

/home/username/www

Everything inside the www will be accessible

everything that in your home directory, but not in your www aren't accessible,
so we could make a new directory for your pdf files

/home/username/pdf


Say we setup your site, with login pages and all the stuff you need and you
have your download.php in your www directory

/home/username/www/download.php

It could look something like this:

<?PHP
/* Code for checking that the user is really logged in */
/* hasn't been included here, but we assume it's here */

/* We get an argument to the download.php, which is f */
/* and it is the name of the file, we remove all .. */
/* from the file name just in case someone tries to */
/* access a file that they shouldn't access */
$file_name="/home/username/pdf/".ereg_replace("..","",$_REQUEST['f']);

/* Lets see if there is a such file */
if(is_file($file_name)) {
/* There is a such file, lets pass it to the user */
$fp = fopen($file_name, 'rb');

/* Send the right headers */
header("Content-Type: application/pdf");
header("Content-Length: " . filesize($file_name));

/* We send the file, close the fp and exit the script */
fpassthru($fp);
fclose($fp);
exit;

} else {
/* Sorry, there is no such file */
/* type some sorry file missing message, we give the */
/* filename they requested instead of the one we used */
/* so they won't know that we did prevent them from */
/* accessing files they don't have access to */
echo "Sorry, can't find a file".$_REQUEST['f'];
}

?>

It's not more difficult than that really.


//Aho

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация