469,283 Members | 2,263 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,283 developers. It's quick & easy.

Clarification

Wes
I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I
am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I was told to save the files outside the Web accessible directories. Is
this the directory before /www/ so would look like /home/domain/ and I would
save it in domain?

My second question is, the person gave me some code that looked like this...

<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_info[1]);

download_file($file_id);
?>

I am a newb it seems because I can't figure it out even after looking up
explode and intval on php.net .

Thanks,
Wes

Jul 17 '05 #1
3 1908
Wes wrote:
I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I
am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I was told to save the files outside the Web accessible directories. Is
this the directory before /www/ so would look like /home/domain/ and I would
save it in domain?
yes
My second question is, the person gave me some code that looked like this...

<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_info[1]);

download_file($file_id);
?>

I am a newb it seems because I can't figure it out even after looking up
explode and intval on php.net .


That looks like you'd have a script called something like download.php
in /home/domain/www (it would be accessed by
http://domain.com/download.php according to the URI).

Your links for downloads would then look like:
http://domain.com/download.php/1234

Where 1234 would be the file id number. Now, depending on how you are
handling this, I would assume that the id refers to a database record
that you'd use to query the information for the filename and then use
header() and fpassthru()
[http://us2.php.net/manual/en/function.fpassthru.php] or something
similar to send the file to the user.

HTH

--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.

Jul 17 '05 #2
Wes wrote:

I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I
am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I was told to save the files outside the Web accessible directories. Is
this the directory before /www/ so would look like /home/domain/ and I would
save it in domain?
Probably - different hosting providers set this up differently. If the file
that you get when you go to http://www.yourdomain.com/ (probably index.htm,
index.php, etc.) is stored in /home/yourdomain/www/, then /home/yourdomain/ is
most likely not web-accessable. You might want to create a directory here to
store your files (i.e. /home/yourdomain/yourfiles/) and keep things neat.
My second question is, the person gave me some code that looked like this...

<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_info[1]);

download_file($file_id);
?>

I am a newb it seems because I can't figure it out even after looking up
explode and intval on php.net .


Basically, I think what he was suggesting was that you assign a file_id # to
each file (in an array or a database). If you're a newb, you might want to
ignore the syntax he suggested
(http://domain.com/privagents/contents/download.php/1) for calling the scipt and
use the more common/easier-to-understand
http://domain.com/privagents/content....php?file_id=1, unless I'm missing
a valid reason to do it.

Then modify the above code to:

<?php
$file_id = intval($_GET['file_id']);

//insert your own code to test if user has the right to download file here
download_file($file_id); //this is a function that you write. Do this only if
user has right to download file

//if user doesn't have right to download the file provide error
echo "You do not have permission to download this file.";
?>

Your download_file($file_id) function would do the following:

Look up the path and filename associated with the $file_id.
fopen() the file.
send header() with the appropriate content-type (you'll have to read up on this
- it can be a bit tricky at first).
fpassthru() the file.
fclose() the file.

It's important that you don't output anything at all to the browser (not even
spaces or line breaks), other than the headers and file contents.

Regards,
Shawn

--
Shawn Wilson
sh***@glassgiant.com
http://www.glassgiant.com
Jul 17 '05 #3
"Wes" <sa************@hotmail.com> wrote in message
news:3f***********************@nnrp.fuse.net...
I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I would just like to add, if your dir is like this
/home/domain/www

i would do this (it is just cleaner)
/home/domain/www
/home/domain/securefiles

and have the script read files from "../securefiles/$filename";
now this doesnt mean they are secure becouse if your show a link to get it
they just save the link, so here is some code with a link time-out

$file = "myfile.pdf"; // file to download
$timelimit = 30; // 30 seconds

// this is so nobody figures out the timeout string
$secretkey = "make up some secret key here";

$timeout = base64_encode(gzcompress(md5($secretkey)."|".time( ) +
$timelimit));
$link = "<A HREF='download.php?f=$file&t=$timeout'>Download Now</A>";
print $link;

----------------
now here is the exact download.php script

<?
$filename = $_GET'['f'];
$timeout = $_GET['t'];

// HAS TO BE EXACLY THE SAME AS ABOVE CODE!
$secretkey = "make up some secret key here";

// place to send them if expired or invalid key
$errorpage = "http://www.domain.com/dl-error.html";

$timeout = gzuncomress(base64_decode($timeout));
list($key,$expire) = explode("|",$timeout);

// if the keys dont match, send them to a page that explains
if (md5($secretkey) != $key)
header("Location: ?f=$filename");
// if expired, send them to a page that exmplains that
if (time() > $expire)
header("Location: http://www.domain.com/exipired.php?f=$filename");

now lets send the file out
header("Content-type: application/pdf");
header("Content-disposition: filename: $filename");
header("Filename: $filename");
header("Content-length: ".filesize("../securefiles/$filename"));

readfile("../securefiles/$filename");

exit(); // to ensure no more bytes sent
?>

--
Mike Bradley
http://gzen.myhq.info -- free online php tools
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by Shea Martin | last post: by
3 posts views Thread by John D. Sanders | last post: by
2 posts views Thread by Ethan | last post: by
9 posts views Thread by Adam | last post: by
3 posts views Thread by solomon_13000 | last post: by
reply views Thread by chanchito_cojones | last post: by
reply views Thread by zhoujie | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.