RE: [PHP] Download Script - Newbie Alert
Store the files above your web root and use a PHP script to control
access.
Use header to set the appropriate header for the file,
header("Content-Type: application/vnd.ms-excel; name='excel'");
header("Content-Disposition: attachment; filename=" . $filename .
".xls");
then use passthru() to send the contents of the file. Use a path for
passthru that's above the web root.
The key to this though, is to do some checking with PHP to make sure the
person is authorized to download the file. Simply doing the above will
still allow someone to link directly to file.php?id=23 or whatever, and
get the contents.
Start a session on another page, the one before the download, and then
check for the session in this page, before you send the file. If the
session doesn't exist (or a certain variable within it) then don't send
the file.
---John Holmes...
> -Original Message-
> From: Philip Hess [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 03, 2002 6:09 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Download Script - Newbie Alert
>
> Hello,
>
> I would like to allow visitors to my site to download documents
created
> with MS office and .PDF files as well. In order to prevent linking
from
> other sites I'd like to make or modify a script that hides the actual
> location of the files.
>
> A pointer in the right direction would be most appreciated.
>
> Thanks
> ---
> Philip Hess - Pittsburgh, PA USA - Computer Teacher
> E-mail: pjh_at_zoominternet.net
> Phil's Place (my web site) http://phil.mav.net/
> PA School District Database: http://phil.mav.net/district.hts
> ---
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Download Script - Newbie Alert
Something else along these lines -- I really, really wish that more sites
that use this method would test across multiple browsers and platforms.
I agree with everything John is saying regarding testing access/permissions
-- I've used this technique many times myself.
However, if a user with Internet Explorer on Mac OS X clicks this link:
www.domain.dom/file.php?id=23
They'll wind up with a file on their desktop called "file.php".
Not every browser pays close enough attention to the "filename" in the
Content-Disposition header.
Solution?
www.domain.com/file.php/23/docname.xls
I believe this will run file.php, which can then pull in the $PATH_INFO to
determine what file is being requested, check session permissions, etc., can
then spit out the right headers as John suggests, AND users will definitely
wind up with a downloaded file called "docname.xls".
If your pages are dynamically generated, you can even do tricks like this to
thwart external linking:
http://www.domain.com/file.php/23/$bootLeech/docname.xls";>download";
?>
Then in your file.php script, do the following:
- explode $PATH_INFO on "/"
- check the $bootLeach array position with the same calculation ...
Where you can allow a plus/minus error tolerance of 10 minutes.
We use this trick on http://www.imagescentral.com ... Kids frequently want
to build Geocities sites that leech all our images. Our image file URLs work
*just* long enough for them to build their pages, and test that they look
good.
30 hours later, all the leeched images are replaced with Images Central
logos. : )
Fun!
-Clay
> From: "John Holmes" <[EMAIL PROTECTED]>
> Organization: U.S. Army
> Reply-To: <[EMAIL PROTECTED]>
> Date: Mon, 3 Jun 2002 20:06:42 -0400
> To: "'Philip Hess'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> Subject: RE: [PHP] Download Script - Newbie Alert
>
> Store the files above your web root and use a PHP script to control
> access.
>
> Use header to set the appropriate header for the file,
>
> header("Content-Type: application/vnd.ms-excel; name='excel'");
> header("Content-Disposition: attachment; filename=" . $filename .
> ".xls");
>
> then use passthru() to send the contents of the file. Use a path for
> passthru that's above the web root.
>
> The key to this though, is to do some checking with PHP to make sure the
> person is authorized to download the file. Simply doing the above will
> still allow someone to link directly to file.php?id=23 or whatever, and
> get the contents.
>
> Start a session on another page, the one before the download, and then
> check for the session in this page, before you send the file. If the
> session doesn't exist (or a certain variable within it) then don't send
> the file.
>
> ---John Holmes...
>
>> -Original Message-
>> From: Philip Hess [mailto:[EMAIL PROTECTED]]
>> Sent: Monday, June 03, 2002 6:09 PM
>> To: [EMAIL PROTECTED]
>> Subject: [PHP] Download Script - Newbie Alert
>>
>> Hello,
>>
>> I would like to allow visitors to my site to download documents
> created
>> with MS office and .PDF files as well. In order to prevent linking
> from
>> other sites I'd like to make or modify a script that hides the actual
>> location of the files.
>>
>> A pointer in the right direction would be most appreciated.
>>
>> Thanks
>> ---
>> Philip Hess - Pittsburgh, PA USA - Computer Teacher
>> E-mail: pjh_at_zoominternet.net
>> Phil's Place (my web site) http://phil.mav.net/
>> PA School District Database: http://phil.mav.net/district.hts
>> ---
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Download Script - Newbie Alert
You can also check $HTTP_REFERER, it's much simpler
Marek
Clay Loveless wrote:
>Something else along these lines -- I really, really wish that more sites
>that use this method would test across multiple browsers and platforms.
>
>I agree with everything John is saying regarding testing access/permissions
>-- I've used this technique many times myself.
>
>However, if a user with Internet Explorer on Mac OS X clicks this link:
>
>www.domain.dom/file.php?id=23
>
>They'll wind up with a file on their desktop called "file.php".
>
>Not every browser pays close enough attention to the "filename" in the
>Content-Disposition header.
>
>Solution?
>
>www.domain.com/file.php/23/docname.xls
>
>I believe this will run file.php, which can then pull in the $PATH_INFO to
>determine what file is being requested, check session permissions, etc., can
>then spit out the right headers as John suggests, AND users will definitely
>wind up with a downloaded file called "docname.xls".
>
>If your pages are dynamically generated, you can even do tricks like this to
>thwart external linking:
>
>$bootLeech = date("U") / 2;
>echo "href=\"http://www.domain.com/file.php/23/$bootLeech/docname.xls";>download
>
>>";
>>
>>
>?>
>
>Then in your file.php script, do the following:
>- explode $PATH_INFO on "/"
>- check the $bootLeach array position with the same calculation ...
>Where you can allow a plus/minus error tolerance of 10 minutes.
>
>
>We use this trick on http://www.imagescentral.com ... Kids frequently want
>to build Geocities sites that leech all our images. Our image file URLs work
>*just* long enough for them to build their pages, and test that they look
>good.
>
>30 hours later, all the leeched images are replaced with Images Central
>logos. : )
>
>Fun!
>
>-Clay
>
>
>
>
>
>>From: "John Holmes" <[EMAIL PROTECTED]>
>>Organization: U.S. Army
>>Reply-To: <[EMAIL PROTECTED]>
>>Date: Mon, 3 Jun 2002 20:06:42 -0400
>>To: "'Philip Hess'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
>>Subject: RE: [PHP] Download Script - Newbie Alert
>>
>>Store the files above your web root and use a PHP script to control
>>access.
>>
>>Use header to set the appropriate header for the file,
>>
>>header("Content-Type: application/vnd.ms-excel; name='excel'");
>>header("Content-Disposition: attachment; filename=" . $filename .
>>".xls");
>>
>>then use passthru() to send the contents of the file. Use a path for
>>passthru that's above the web root.
>>
>>The key to this though, is to do some checking with PHP to make sure the
>>person is authorized to download the file. Simply doing the above will
>>still allow someone to link directly to file.php?id=23 or whatever, and
>>get the contents.
>>
>>Start a session on another page, the one before the download, and then
>>check for the session in this page, before you send the file. If the
>>session doesn't exist (or a certain variable within it) then don't send
>>the file.
>>
>>---John Holmes...
>>
>>
>>
>>>-Original Message-
>>>From: Philip Hess [mailto:[EMAIL PROTECTED]]
>>>Sent: Monday, June 03, 2002 6:09 PM
>>>To: [EMAIL PROTECTED]
>>>Subject: [PHP] Download Script - Newbie Alert
>>>
>>>Hello,
>>>
>>>I would like to allow visitors to my site to download documents
>>>
>>>
>>created
>>
>>
>>>with MS office and .PDF files as well. In order to prevent linking
>>>
>>>
>>from
>>
>>
>>>other sites I'd like to make or modify a script that hides the actual
>>>location of the files.
>>>
>>>A pointer in the right direction would be most appreciated.
>>>
>>>Thanks
>>>---
>>>Philip Hess - Pittsburgh, PA USA - Computer Teacher
>>>E-mail: pjh_at_zoominternet.net
>>>Phil's Place (my web site) http://phil.mav.net/
>>>PA School District Database: http://phil.mav.net/district.hts
>>>---
>>>
>>>
>>>--
>>>PHP General Mailing List (http://www.php.net/)
>>>To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>>
>>--
>>PHP General Mailing List (http://www.php.net/)
>>To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>>
>
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Download Script - Newbie Alert
That can be spoofed, though, and not all browsers set it, and will not
stop anyone from just typing in the URL...
http://www.example.com/files/mydoc.doc
---John Holmes...
> -Original Message-
> From: Marek Kilimajer [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 04, 2002 3:58 AM
> To: PHP
> Subject: Re: [PHP] Download Script - Newbie Alert
>
> You can also check $HTTP_REFERER, it's much simpler
>
> Marek
>
> Clay Loveless wrote:
>
> >Something else along these lines -- I really, really wish that more
sites
> >that use this method would test across multiple browsers and
platforms.
> >
> >I agree with everything John is saying regarding testing
> access/permissions
> >-- I've used this technique many times myself.
> >
> >However, if a user with Internet Explorer on Mac OS X clicks this
link:
> >
> >www.domain.dom/file.php?id=23
> >
> >They'll wind up with a file on their desktop called "file.php".
> >
> >Not every browser pays close enough attention to the "filename" in
the
> >Content-Disposition header.
> >
> >Solution?
> >
> >www.domain.com/file.php/23/docname.xls
> >
> >I believe this will run file.php, which can then pull in the
$PATH_INFO
> to
> >determine what file is being requested, check session permissions,
etc.,
> can
> >then spit out the right headers as John suggests, AND users will
> definitely
> >wind up with a downloaded file called "docname.xls".
> >
> >If your pages are dynamically generated, you can even do tricks like
this
> to
> >thwart external linking:
> >
> > >$bootLeech = date("U") / 2;
> >echo "
>href=\"http://www.domain.com/file.php/23/$bootLeech/docname.xls";>downlo
ad
> >
> >
> >>";
> >>
> >>
> >?>
> >
> >Then in your file.php script, do the following:
> >- explode $PATH_INFO on "/"
> >- check the $bootLeach array position with the same calculation
...
> >Where you can allow a plus/minus error tolerance of 10 minutes.
> >
> >
> >We use this trick on http://www.imagescentral.com ... Kids frequently
> want
> >to build Geocities sites that leech all our images. Our image file
URLs
> work
> >*just* long enough for them to build their pages, and test that they
look
> >good.
> >
> >30 hours later, all the leeched images are replaced with Images
Central
> >logos. : )
> >
> >Fun!
> >
> >-Clay
> >
> >
> >
> >
> >
> >>From: "John Holmes" <[EMAIL PROTECTED]>
> >>Organization: U.S. Army
> >>Reply-To: <[EMAIL PROTECTED]>
> >>Date: Mon, 3 Jun 2002 20:06:42 -0400
> >>To: "'Philip Hess'" <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>
> >>Subject: RE: [PHP] Download Script - Newbie Alert
> >>
> >>Store the files above your web root and use a PHP script to control
> >>access.
> >>
> >>Use header to set the appropriate header for the file,
> >>
> >>header("Content-Type: application/vnd.ms-excel; name='excel'");
> >>header("Content-Disposition: attachment; filename=" . $filename .
> >>".xls");
> >>
> >>then use passthru() to send the contents of the file. Use a path for
> >>passthru that's above the web root.
> >>
> >>The key to this though, is to do some checking with PHP to make sure
the
> >>person is authorized to download the file. Simply doing the above
will
> >>still allow someone to link directly to file.php?id=23 or whatever,
and
> >>get the contents.
> >>
> >>Start a session on another page, the one before the download, and
then
> >>check for the session in this page, before you send the file. If the
> >>session doesn't exist (or a certain variable within it) then don't
send
> >>the file.
> >>
> >>---John Holmes...
> >>
> >>
> >>
> >>>-Original Message-
> >>>From: Philip Hess [mailto:[EMAIL PROTECTED]]
> >>>Sent: Monday, June 03, 2002 6:09 PM
> >>>To: [EMAIL PROTECTED]
> >>>Subject: [PHP] Download Script - Newbie Alert
> >>>
> >>>Hello,
> >>>
> >>>I would like to allow visitors to my site to download documents
> >>>
> >>>
> >>created
> >>
> >>
> >>>with MS office and
