Something else along these lines -- I really, really wish that more sites
that use this method would test across multiple browsers and platforms.
I agree with everything John is saying regarding testing access/permissions
-- I've used this technique many times myself.
However, if a user with Internet Explorer on Mac OS X clicks this link:
www.domain.dom/file.php?id=23
They'll wind up with a file on their desktop called "file.php".
Not every browser pays close enough attention to the "filename" in the
Content-Disposition header.
Solution?
www.domain.com/file.php/23/docname.xls
I believe this will run file.php, which can then pull in the $PATH_INFO to
determine what file is being requested, check session permissions, etc., can
then spit out the right headers as John suggests, AND users will definitely
wind up with a downloaded file called "docname.xls".
If your pages are dynamically generated, you can even do tricks like this to
thwart external linking:
<?php
$bootLeech = date("U") / 2;
echo "<a
href=\"http://www.domain.com/file.php/23/$bootLeech/docname.xls";>download</a
>";
?>
Then in your file.php script, do the following:
- explode $PATH_INFO on "/"
- check the $bootLeach array position with the same calculation ...
Where you can allow a plus/minus error tolerance of 10 minutes.
We use this trick on http://www.imagescentral.com ... Kids frequently want
to build Geocities sites that leech all our images. Our image file URLs work
*just* long enough for them to build their pages, and test that they look
good.
30 hours later, all the leeched images are replaced with Images Central
logos. : )
Fun!
-Clay
> From: "John Holmes" <[EMAIL PROTECTED]>
> Organization: U.S. Army
> Reply-To: <[EMAIL PROTECTED]>
> Date: Mon, 3 Jun 2002 20:06:42 -0400
> To: "'Philip Hess'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> Subject: RE: [PHP] Download Script - Newbie Alert
>
> Store the files above your web root and use a PHP script to control
> access.
>
> Use header to set the appropriate header for the file,
>
> header("Content-Type: application/vnd.ms-excel; name='excel'");
> header("Content-Disposition: attachment; filename=" . $filename .
> ".xls");
>
> then use passthru() to send the contents of the file. Use a path for
> passthru that's above the web root.
>
> The key to this though, is to do some checking with PHP to make sure the
> person is authorized to download the file. Simply doing the above will
> still allow someone to link directly to file.php?id=23 or whatever, and
> get the contents.
>
> Start a session on another page, the one before the download, and then
> check for the session in this page, before you send the file. If the
> session doesn't exist (or a certain variable within it) then don't send
> the file.
>
> ---John Holmes...
>
>> -----Original Message-----
>> From: Philip Hess [mailto:[EMAIL PROTECTED]]
>> Sent: Monday, June 03, 2002 6:09 PM
>> To: [EMAIL PROTECTED]
>> Subject: [PHP] Download Script - Newbie Alert
>>
>> Hello,
>>
>> I would like to allow visitors to my site to download documents
> created
>> with MS office and .PDF files as well. In order to prevent linking
> from
>> other sites I'd like to make or modify a script that hides the actual
>> location of the files.
>>
>> A pointer in the right direction would be most appreciated.
>>
>> Thanks
>> ---------------------------------------------------------------
>> Philip Hess - Pittsburgh, PA USA - Computer Teacher
>> E-mail: pjh_at_zoominternet.net
>> Phil's Place (my web site) http://phil.mav.net/
>> PA School District Database: http://phil.mav.net/district.hts
>> ---------------------------------------------------------------
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
