473,373 Members | 1,179 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,373 software developers and data experts.

Clarification

Wes
I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I
am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I was told to save the files outside the Web accessible directories. Is
this the directory before /www/ so would look like /home/domain/ and I would
save it in domain?

My second question is, the person gave me some code that looked like this...

<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_info[1]);

download_file($file_id);
?>

I am a newb it seems because I can't figure it out even after looking up
explode and intval on php.net .

Thanks,
Wes

Jul 17 '05 #1
3 2189
Wes wrote:
I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I
am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I was told to save the files outside the Web accessible directories. Is
this the directory before /www/ so would look like /home/domain/ and I would
save it in domain?
yes
My second question is, the person gave me some code that looked like this...

<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_info[1]);

download_file($file_id);
?>

I am a newb it seems because I can't figure it out even after looking up
explode and intval on php.net .


That looks like you'd have a script called something like download.php
in /home/domain/www (it would be accessed by
http://domain.com/download.php according to the URI).

Your links for downloads would then look like:
http://domain.com/download.php/1234

Where 1234 would be the file id number. Now, depending on how you are
handling this, I would assume that the id refers to a database record
that you'd use to query the information for the filename and then use
header() and fpassthru()
[http://us2.php.net/manual/en/function.fpassthru.php] or something
similar to send the file to the user.

HTH

--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.

Jul 17 '05 #2
Wes wrote:

I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I
am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I was told to save the files outside the Web accessible directories. Is
this the directory before /www/ so would look like /home/domain/ and I would
save it in domain?
Probably - different hosting providers set this up differently. If the file
that you get when you go to http://www.yourdomain.com/ (probably index.htm,
index.php, etc.) is stored in /home/yourdomain/www/, then /home/yourdomain/ is
most likely not web-accessable. You might want to create a directory here to
store your files (i.e. /home/yourdomain/yourfiles/) and keep things neat.
My second question is, the person gave me some code that looked like this...

<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_info[1]);

download_file($file_id);
?>

I am a newb it seems because I can't figure it out even after looking up
explode and intval on php.net .


Basically, I think what he was suggesting was that you assign a file_id # to
each file (in an array or a database). If you're a newb, you might want to
ignore the syntax he suggested
(http://domain.com/privagents/contents/download.php/1) for calling the scipt and
use the more common/easier-to-understand
http://domain.com/privagents/content....php?file_id=1, unless I'm missing
a valid reason to do it.

Then modify the above code to:

<?php
$file_id = intval($_GET['file_id']);

//insert your own code to test if user has the right to download file here
download_file($file_id); //this is a function that you write. Do this only if
user has right to download file

//if user doesn't have right to download the file provide error
echo "You do not have permission to download this file.";
?>

Your download_file($file_id) function would do the following:

Look up the path and filename associated with the $file_id.
fopen() the file.
send header() with the appropriate content-type (you'll have to read up on this
- it can be a bit tricky at first).
fpassthru() the file.
fclose() the file.

It's important that you don't output anything at all to the browser (not even
spaces or line breaks), other than the headers and file contents.

Regards,
Shawn

--
Shawn Wilson
sh***@glassgiant.com
http://www.glassgiant.com
Jul 17 '05 #3
"Wes" <sa************@hotmail.com> wrote in message
news:3f***********************@nnrp.fuse.net...
I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I would just like to add, if your dir is like this
/home/domain/www

i would do this (it is just cleaner)
/home/domain/www
/home/domain/securefiles

and have the script read files from "../securefiles/$filename";
now this doesnt mean they are secure becouse if your show a link to get it
they just save the link, so here is some code with a link time-out

$file = "myfile.pdf"; // file to download
$timelimit = 30; // 30 seconds

// this is so nobody figures out the timeout string
$secretkey = "make up some secret key here";

$timeout = base64_encode(gzcompress(md5($secretkey)."|".time( ) +
$timelimit));
$link = "<A HREF='download.php?f=$file&t=$timeout'>Download Now</A>";
print $link;

----------------
now here is the exact download.php script

<?
$filename = $_GET'['f'];
$timeout = $_GET['t'];

// HAS TO BE EXACLY THE SAME AS ABOVE CODE!
$secretkey = "make up some secret key here";

// place to send them if expired or invalid key
$errorpage = "http://www.domain.com/dl-error.html";

$timeout = gzuncomress(base64_decode($timeout));
list($key,$expire) = explode("|",$timeout);

// if the keys dont match, send them to a page that explains
if (md5($secretkey) != $key)
header("Location: ?f=$filename");
// if expired, send them to a page that exmplains that
if (time() > $expire)
header("Location: http://www.domain.com/exipired.php?f=$filename");

now lets send the file out
header("Content-type: application/pdf");
header("Content-disposition: filename: $filename");
header("Filename: $filename");
header("Content-length: ".filesize("../securefiles/$filename"));

readfile("../securefiles/$filename");

exit(); // to ensure no more bytes sent
?>

--
Mike Bradley
http://gzen.myhq.info -- free online php tools
Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Shea Martin | last post by:
Which of the following do I use delete instead of just delete. //1.) // not sure about this one, as char is of size 1 char *str = new char; //2.) //not sure about this one, as it is a...
3
by: John D. Sanders | last post by:
I have just upgraded MySQL from version 3.23 to version 4.1.8 and now I am getting the following error when I try to run a script that worked: install_driver(mysql) failed: Can't load...
2
by: Ethan | last post by:
This is a clarification of a previous message, which was not expressed very well. I have a set of checkboxes near the bottom of the page and a function that checks or unchecks all of them. But when...
9
by: Adam | last post by:
Hi, I am having problems having an include file rendered in my browser (IE6). The include file contains <A href> tags to be used as a navigation bar in the footer of a .html file. I am...
3
by: ma740988 | last post by:
Consider the 'C' source. void myDoorBellISR(starLinkDevice *slDevice, U32 doorBellVal) { doorBellDetected = doorBellVal; } void slRcv() { starLinkOpenStruct myOpenStruct;
3
by: solomon_13000 | last post by:
> Wonthaggi Civic Theatre 'WCT' Case Study > > The town of Wonthaggi has a theatre which is owned and > operated by the local council, it is called the > Wonthaggi Civic Theatre (WCT) and a wide...
0
by: chanchito_cojones | last post by:
Hi there, I was searching the net for some guidance in putting together a query that would select random records from the main table. I came across this and it works like a charm. SELECT TOP...
8
by: Sai Kit Tong | last post by:
In the article, the description for "Modiy DLL That Contains Consumers That Use Managed Code and DLL Exports or Managed Entry Points" suggests the creation of the class ManagedWrapper. If I...
2
by: ravir | last post by:
Hi, I am new to this group. I am working in Perl and shellscripts. I have a clarification regarding perl grep and pattern matching. I am writing a perl script to automate the process of code...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
0
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
0
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
0
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.