By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,492 Members | 1,289 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,492 IT Pros & Developers. It's quick & easy.

File with no link

P: n/a
Ozz
Hi there,
I have a link on my web page. When clicked, opens up a pdf file that is
stored on my server. Every file is specific to a user's user name and I
don't want users to see each other's files.
For example:
When User1 clicks on the link, it opens up
http://mydomain.com/files/user1.pdf
and when User2 clicks on the link, it opens up
http://mydomain.com/files/user2.pdf.

So, if User1 knows about User2, he can see User2's pdf file.

How can I make the file open up in a different window without the file
path in the address bar?

Thanks,
Usman

Jun 1 '06 #1
Share this Question
Share on Google+
6 Replies


P: n/a
>I have a link on my web page. When clicked, opens up a pdf file that is
stored on my server. Every file is specific to a user's user name and I
don't want users to see each other's files.
For example:
When User1 clicks on the link, it opens up
http://mydomain.com/files/user1.pdf
and when User2 clicks on the link, it opens up
http://mydomain.com/files/user2.pdf.

So, if User1 knows about User2, he can see User2's pdf file.

How can I make the file open up in a different window without the file
path in the address bar?


Make sure that there is *NO* URL that can be used to obtain
the file for a user unless the person is logged in as that user.
Provide one URL that can be used by a user to get their own file.

Write a PHP script, say, pdf.php, which does the following:

1. Determines if the user is logged in, if not, rejects the request.
2. Opens the .pdf file (located *outside* the web server document root)
for the logged in user, using the username as part of the path
name somehow. Or, it could generate the pdf file on the fly.
3. Outputs a content-type header for a pdf file.
4. Calls fpassthru() on the file opened in #2.

The user clicks on a link to pdf.php, and they get *their* pdf file.

Gordon L. Burditt
Jun 1 '06 #2

P: n/a
Ozz
Thanks Gordon,
Your solution totally makes sense. Once I know the user is logged in, I
determine what is his file name. Then I open a file stream to that
file, and using fpassthru() spit it out.

I can totally see how to implement this. However, I was wondering if
there is a PHP function that takes a file name (located on the server)
as input, and pops up a window with the PDF file in it. Or even prompts
the user to save the file. This way, there is no URL in the story. And
hence, no privacy issues.

I would appreciate any idea.
Thanks.
Usman
Gordon Burditt wrote:
I have a link on my web page. When clicked, opens up a pdf file that is
stored on my server. Every file is specific to a user's user name and I
don't want users to see each other's files.
For example:
When User1 clicks on the link, it opens up
http://mydomain.com/files/user1.pdf
and when User2 clicks on the link, it opens up
http://mydomain.com/files/user2.pdf.

So, if User1 knows about User2, he can see User2's pdf file.

How can I make the file open up in a different window without the file
path in the address bar?


Make sure that there is *NO* URL that can be used to obtain
the file for a user unless the person is logged in as that user.
Provide one URL that can be used by a user to get their own file.

Write a PHP script, say, pdf.php, which does the following:

1. Determines if the user is logged in, if not, rejects the request.
2. Opens the .pdf file (located *outside* the web server document root)
for the logged in user, using the username as part of the path
name somehow. Or, it could generate the pdf file on the fly.
3. Outputs a content-type header for a pdf file.
4. Calls fpassthru() on the file opened in #2.

The user clicks on a link to pdf.php, and they get *their* pdf file.

Gordon L. Burditt


Jun 1 '06 #3

P: n/a
>Your solution totally makes sense. Once I know the user is logged in, I
determine what is his file name. Then I open a file stream to that
file, and using fpassthru() spit it out.
You do this in a .php file which as far as the user is concerned
*is* the pdf file. And you can put in as many security checks
as you like before delivering the file.
I can totally see how to implement this. However, I was wondering if
there is a PHP function that takes a file name (located on the server) *OUTSIDE THE DOCUMENT TREE*as input, and pops up a window with the PDF file in it.
It's not that hard to do using a combination of fopen(), fpassthru(),
(inside the script I suggested) and outputting some HTML that points
at the script I suggested.
Or even prompts
If you want to pop up a window, that requires HTML. Or Javascript,
which is Turned Off(tm). And as far as I know, either requires a
URL for what to put *in* the window. That's where the script I
suggested comes in. I consider popping up a window to be obnoxious
behavior so I don't remember how to do it.
the user to save the file. This way, there is no URL in the story. And
hence, no privacy issues.
The URL to the PHP script I suggested gives the user his *own* pdf
file. It's like the "View my Statement" link on my bank's website.
It's the same link for every user (but delivers different info),
and it gives an error message to those not logged in. Publish it
to the world: if your login system has decent security, it's not
a problem. If your login system does not have decent security,
you're in deep trouble anyway.

Since the .pdf files for individual users are outside the document
tree, you can make those paths public, too, since nobody can
access them. Nobody will see the paths when they access the
files in the normal way. However, making the paths public provides
a specific target for someone hacking your system or sending you
a virus, so I suggest not making them public. There's no innocent
use of those paths directly by users anyway.
Gordon Burditt wrote:
>I have a link on my web page. When clicked, opens up a pdf file that is
>stored on my server. Every file is specific to a user's user name and I
>don't want users to see each other's files.
>For example:
>When User1 clicks on the link, it opens up
>http://mydomain.com/files/user1.pdf
>and when User2 clicks on the link, it opens up
>http://mydomain.com/files/user2.pdf.
>
>So, if User1 knows about User2, he can see User2's pdf file.
>
>How can I make the file open up in a different window without the file
>path in the address bar?


Make sure that there is *NO* URL that can be used to obtain
the file for a user unless the person is logged in as that user.
Provide one URL that can be used by a user to get their own file.

Write a PHP script, say, pdf.php, which does the following:

1. Determines if the user is logged in, if not, rejects the request.
2. Opens the .pdf file (located *outside* the web server document root)
for the logged in user, using the username as part of the path
name somehow. Or, it could generate the pdf file on the fly.
3. Outputs a content-type header for a pdf file.
4. Calls fpassthru() on the file opened in #2.

The user clicks on a link to pdf.php, and they get *their* pdf file.

Gordon L. Burditt

Jun 1 '06 #4

P: n/a
Ozz schrieb:
Hi there,


I posted an alternative suggestion in alt.php. Please, if you post the
same question to several newsgroups, do crosspost (post it to all groups
at once) and not multipost (post it to each group separately)!
Multiposting makes people answer questions already answered in another
group, and thus is considered as wasting people's time.

--
Markus
Jun 1 '06 #5

P: n/a

Markus Ernst wrote:
Ozz schrieb:
Hi there,


I posted an alternative suggestion in alt.php. Please, if you post the
same question to several newsgroups, do crosspost (post it to all groups
at once) and not multipost (post it to each group separately)!
Multiposting makes people answer questions already answered in another
group, and thus is considered as wasting people's time.

--
Markus


I believe htacces could help you to force them to download, but still
user.pdf would appear in the browser's history ...
Frizzle.

Jun 1 '06 #6

P: n/a
Ozz
Thanks for pointing out Markus,
I wasn't aware of cross-posting. It sounds like an appropriate thing to
do. Will do it properly next time.

Cheers,
Usman

Markus Ernst wrote:
Ozz schrieb:
Hi there,


I posted an alternative suggestion in alt.php. Please, if you post the
same question to several newsgroups, do crosspost (post it to all groups
at once) and not multipost (post it to each group separately)!
Multiposting makes people answer questions already answered in another
group, and thus is considered as wasting people's time.

--
Markus


Jun 1 '06 #7

This discussion thread is closed

Replies have been disabled for this discussion.