[PHP] File Access & Security Issues
How assured can I be that people will NOT be able to view my php code? I'm creating an e-commerce site that will contain sensitive information and algorithms. I want to to take every precaution possible to protect that data and code. One concern in particular is the ability to view the contents of a file through PHP, rather than through HTTP. I've noticed that many file functions do not work for non-local files, which is good. But can a good hacker still get access some indirect way? Thank you! Steven J. Walker Walker Effects www.walkereffects.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] file access(mpeg) only for authenticated people
Hi!
I'm trying to make some mpegs available only to people who authenticated
themselves using php. But all the solutions I found somewhat unpleasant
because I uses chmod to set the file attributes to u=rw and then
used either
i) readfile("ftp://name:password@server/path//test.mpeg");
or
ii) header ("Location: ftp://name:password@server/path/test.mpeg");
But in case
i) the browser asks if I want to download the file or view it. If I choose
view the browser suggests to save the movie as myscript.php and if I choose
view it ´doesn't display anything.
ii.) the browser displayes my username and password in the statusbar
And in both cases it downloads the whole file(I guess cause I use ftp)
before starting the mpeg programm(where nothing happens afterwards in case
i)
Is there a better way? ´Like telling the server via http my login data and
sending the file to the users browser?
Thanks
Thorsten
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file access(mpeg) only for authenticated people
Hey,
Well sure there is:
$fp = fopen($filename, 'r') or die('damn');
$read = fread($fp, filesize($filename)) or
die('damn');
$filestr = basename($filename);
header("Content-Disposition: attachment;
filename=$filestr");
header("Content-Type: application/octet-stream");
echo $read;
exit;
Neat And Clean!
Your authentication can be done above that piece of
code, you then open the file, read it through send the
filename download as $filestr, and the contents
$read.
Simple!
--- Thorsten Gutermuth <[EMAIL PROTECTED]>
wrote: > Hi!
> I'm trying to make some mpegs available only to
> people who authenticated
> themselves using php. But all the solutions I found
> somewhat unpleasant
> because I uses chmod to set the file attributes to
> u=rw and then
> used either
> i)
>
readfile("ftp://name:password@server/path//test.mpeg");
>
> or
>
> ii) header ("Location:
> ftp://name:password@server/path/test.mpeg");
>
> But in case
> i) the browser asks if I want to download the file
> or view it. If I choose
> view the browser suggests to save the movie as
> myscript.php and if I choose
> view it ´doesn't display anything.
>
> ii.) the browser displayes my username and password
> in the statusbar
>
> And in both cases it downloads the whole file(I
> guess cause I use ftp)
> before starting the mpeg programm(where nothing
> happens afterwards in case
> i)
>
> Is there a better way? ´Like telling the server via
> http my login data and
> sending the file to the users browser?
>
> Thanks
> Thorsten
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
>
=
To find out more about me : http://www.geocities.com/mimodit
My bookmarks are available @ http://mukul.free.fr
__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file access(mpeg) only for authenticated people
hi!
I'm having some trouble with this. If i use an ftp address out of some
reason I'm unable to read the file(although I get a handle).(ftp server
supports passive mode)
And if I use http(without authorisation) the browser still asks if I want to
save it.(even if I use video/mpeg as Content-Type) and still displays the
name of my php script instead of the mpeg when asking what I want to do. If
I choose save it then displays the right filename.
Thanks
Thorsten
Mukul Sabharwal <[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
[EMAIL PROTECTED]
> Hey,
>
> Well sure there is:
>
> $fp = fopen($filename, 'r') or die('damn');
> $read = fread($fp, filesize($filename)) or
> die('damn');
> $filestr = basename($filename);
>
> header("Content-Disposition: attachment;
> filename=$filestr");
> header("Content-Type: application/octet-stream");
>
> echo $read;
> exit;
>
> Neat And Clean!
>
> Your authentication can be done above that piece of
> code, you then open the file, read it through send the
> filename download as $filestr, and the contents
> $read.
>
> Simple!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
