[PHP] File Access & Security Issues
How assured can I be that people will NOT be able to view my php code? I'm creating an e-commerce site that will contain sensitive information and algorithms. I want to to take every precaution possible to protect that data and code. One concern in particular is the ability to view the contents of a file through PHP, rather than through HTTP. I've noticed that many file functions do not work for non-local files, which is good. But can a good hacker still get access some indirect way? Thank you! Steven J. Walker Walker Effects www.walkereffects.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] file access(mpeg) only for authenticated people
Hi! I'm trying to make some mpegs available only to people who authenticated themselves using php. But all the solutions I found somewhat unpleasant because I uses chmod to set the file attributes to u=rw and then used either i) readfile("ftp://name:password@server/path//test.mpeg"); or ii) header ("Location: ftp://name:password@server/path/test.mpeg"); But in case i) the browser asks if I want to download the file or view it. If I choose view the browser suggests to save the movie as myscript.php and if I choose view it ´doesn't display anything. ii.) the browser displayes my username and password in the statusbar And in both cases it downloads the whole file(I guess cause I use ftp) before starting the mpeg programm(where nothing happens afterwards in case i) Is there a better way? ´Like telling the server via http my login data and sending the file to the users browser? Thanks Thorsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file access(mpeg) only for authenticated people
Hey, Well sure there is: $fp = fopen($filename, 'r') or die('damn'); $read = fread($fp, filesize($filename)) or die('damn'); $filestr = basename($filename); header("Content-Disposition: attachment; filename=$filestr"); header("Content-Type: application/octet-stream"); echo $read; exit; Neat And Clean! Your authentication can be done above that piece of code, you then open the file, read it through send the filename download as $filestr, and the contents $read. Simple! --- Thorsten Gutermuth <[EMAIL PROTECTED]> wrote: > Hi! > I'm trying to make some mpegs available only to > people who authenticated > themselves using php. But all the solutions I found > somewhat unpleasant > because I uses chmod to set the file attributes to > u=rw and then > used either > i) > readfile("ftp://name:password@server/path//test.mpeg"); > > or > > ii) header ("Location: > ftp://name:password@server/path/test.mpeg"); > > But in case > i) the browser asks if I want to download the file > or view it. If I choose > view the browser suggests to save the movie as > myscript.php and if I choose > view it ´doesn't display anything. > > ii.) the browser displayes my username and password > in the statusbar > > And in both cases it downloads the whole file(I > guess cause I use ftp) > before starting the mpeg programm(where nothing > happens afterwards in case > i) > > Is there a better way? ´Like telling the server via > http my login data and > sending the file to the users browser? > > Thanks > Thorsten > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > To contact the list administrators, e-mail: > [EMAIL PROTECTED] > = To find out more about me : http://www.geocities.com/mimodit My bookmarks are available @ http://mukul.free.fr __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file access(mpeg) only for authenticated people
hi! I'm having some trouble with this. If i use an ftp address out of some reason I'm unable to read the file(although I get a handle).(ftp server supports passive mode) And if I use http(without authorisation) the browser still asks if I want to save it.(even if I use video/mpeg as Content-Type) and still displays the name of my php script instead of the mpeg when asking what I want to do. If I choose save it then displays the right filename. Thanks Thorsten Mukul Sabharwal <[EMAIL PROTECTED]> schrieb in im Newsbeitrag: [EMAIL PROTECTED] > Hey, > > Well sure there is: > > $fp = fopen($filename, 'r') or die('damn'); > $read = fread($fp, filesize($filename)) or > die('damn'); > $filestr = basename($filename); > > header("Content-Disposition: attachment; > filename=$filestr"); > header("Content-Type: application/octet-stream"); > > echo $read; > exit; > > Neat And Clean! > > Your authentication can be done above that piece of > code, you then open the file, read it through send the > filename download as $filestr, and the contents > $read. > > Simple! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]