Clarification

Wes wrote:

I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I
am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I was told to save the files outside the Web accessible directories. Is
this the directory before /www/ so would look like /home/domain/ and I would
save it in domain?
yes
My second question is, the person gave me some code that looked like this...

<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_info[1]);

download_file($file_id);
?>

I am a newb it seems because I can't figure it out even after looking up
explode and intval on php.net .

That looks like you'd have a script called something like download.php
in /home/domain/www (it would be accessed by
http://domain.com/download.php according to the URI).

Your links for downloads would then look like:
http://domain.com/download.php/1234

Where 1234 would be the file id number. Now, depending on how you are
handling this, I would assume that the id refers to a database record
that you'd use to query the information for the filename and then use
header() and fpassthru()
[http://us2.php.net/manual/en/function.fpassthru.php] or something
similar to send the file to the user.

HTH

--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.

Wes wrote:

I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I
am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I was told to save the files outside the Web accessible directories. Is
this the directory before /www/ so would look like /home/domain/ and I would
save it in domain?
Probably - different hosting providers set this up differently. If the file
that you get when you go to http://www.yourdomain.com/ (probably index.htm,
index.php, etc.) is stored in /home/yourdomain/www/, then /home/yourdomain/ is
most likely not web-accessable. You might want to create a directory here to
store your files (i.e. /home/yourdomain/yourfiles/) and keep things neat.
My second question is, the person gave me some code that looked like this...

<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_info[1]);

download_file($file_id);
?>

I am a newb it seems because I can't figure it out even after looking up
explode and intval on php.net .

Basically, I think what he was suggesting was that you assign a file_id # to
each file (in an array or a database). If you're a newb, you might want to
ignore the syntax he suggested
(http://domain.com/privagents/contents/download.php/1) for calling the scipt and
use the more common/easier-to-understand
http://domain.com/privagents/content....php?file_id=1, unless I'm missing
a valid reason to do it.

Then modify the above code to:

<?php
$file_id = intval($_GET['file_id']);

//insert your own code to test if user has the right to download file here
download_file($file_id); //this is a function that you write. Do this only if
user has right to download file

//if user doesn't have right to download the file provide error
echo "You do not have permission to download this file.";
?>

Your download_file($file_id) function would do the following:

Look up the path and filename associated with the $file_id.
fopen() the file.
send header() with the appropriate content-type (you'll have to read up on this
- it can be a bit tricky at first).
fpassthru() the file.
fclose() the file.

It's important that you don't output anything at all to the browser (not even
spaces or line breaks), other than the headers and file contents.

Regards,
Shawn

--
Shawn Wilson
sh***@glassgiant.com
http://www.glassgiant.com

"Wes" <sa************@hotmail.com> wrote in message
news:3f***********************@nnrp.fuse.net...

I am trying to secure different files, mostly pdf, so only the person
suppose to see the file that was designed for that individual can see it. I am using sessions to secure the actual web pages, but now I am trying to
secure non-php files. Here is where I need some help/clarification.

I would just like to add, if your dir is like this
/home/domain/www

i would do this (it is just cleaner)
/home/domain/www
/home/domain/securefiles

and have the script read files from "../securefiles/$filename";
now this doesnt mean they are secure becouse if your show a link to get it
they just save the link, so here is some code with a link time-out

$file = "myfile.pdf"; // file to download
$timelimit = 30; // 30 seconds

// this is so nobody figures out the timeout string
$secretkey = "make up some secret key here";

$timeout = base64_encode(gzcompress(md5($secretkey)."|".time( ) +
$timelimit));
$link = "<A HREF='download.php?f=$file&t=$timeout'>Download Now</A>";
print $link;

----------------
now here is the exact download.php script

<?
$filename = $_GET'['f'];
$timeout = $_GET['t'];

// HAS TO BE EXACLY THE SAME AS ABOVE CODE!
$secretkey = "make up some secret key here";

// place to send them if expired or invalid key
$errorpage = "http://www.domain.com/dl-error.html";

$timeout = gzuncomress(base64_decode($timeout));
list($key,$expire) = explode("|",$timeout);

// if the keys dont match, send them to a page that explains
if (md5($secretkey) != $key)
header("Location: ?f=$filename");
// if expired, send them to a page that exmplains that
if (time() > $expire)
header("Location: http://www.domain.com/exipired.php?f=$filename");

now lets send the file out
header("Content-type: application/pdf");
header("Content-disposition: filename: $filename");
header("Filename: $filename");
header("Content-length: ".filesize("../securefiles/$filename"));

readfile("../securefiles/$filename");

exit(); // to ensure no more bytes sent
?>

--
Mike Bradley
http://gzen.myhq.info -- free online php tools