That can be spoofed, though, and not all browsers set it, and will not stop anyone from just typing in the URL...
http://www.example.com/files/mydoc.doc ---John Holmes... > -----Original Message----- > From: Marek Kilimajer [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 04, 2002 3:58 AM > To: PHP > Subject: Re: [PHP] Download Script - Newbie Alert > > You can also check $HTTP_REFERER, it's much simpler > > Marek > > Clay Loveless wrote: > > >Something else along these lines -- I really, really wish that more sites > >that use this method would test across multiple browsers and platforms. > > > >I agree with everything John is saying regarding testing > access/permissions > >-- I've used this technique many times myself. > > > >However, if a user with Internet Explorer on Mac OS X clicks this link: > > > > www.domain.dom/file.php?id=23 > > > >They'll wind up with a file on their desktop called "file.php". > > > >Not every browser pays close enough attention to the "filename" in the > >Content-Disposition header. > > > >Solution? > > > > www.domain.com/file.php/23/docname.xls > > > >I believe this will run file.php, which can then pull in the $PATH_INFO > to > >determine what file is being requested, check session permissions, etc., > can > >then spit out the right headers as John suggests, AND users will > definitely > >wind up with a downloaded file called "docname.xls". > > > >If your pages are dynamically generated, you can even do tricks like this > to > >thwart external linking: > > > ><?php > > $bootLeech = date("U") / 2; > > echo "<a > >href=\"http://www.domain.com/file.php/23/$bootLeech/docname.xls";>downlo ad > </a > > > > > >>"; > >> > >> > >?> > > > >Then in your file.php script, do the following: > > - explode $PATH_INFO on "/" > > - check the $bootLeach array position with the same calculation ... > >Where you can allow a plus/minus error tolerance of 10 minutes. > > > > > >We use this trick on http://www.imagescentral.com ... Kids frequently > want > >to build Geocities sites that leech all our images. Our image file URLs > work > >*just* long enough for them to build their pages, and test that they look > >good. > > > >30 hours later, all the leeched images are replaced with Images Central > >logos. : ) > > > >Fun! > > > >-Clay > > > > > > > > > > > >>From: "John Holmes" <[EMAIL PROTECTED]> > >>Organization: U.S. Army > >>Reply-To: <[EMAIL PROTECTED]> > >>Date: Mon, 3 Jun 2002 20:06:42 -0400 > >>To: "'Philip Hess'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > >>Subject: RE: [PHP] Download Script - Newbie Alert > >> > >>Store the files above your web root and use a PHP script to control > >>access. > >> > >>Use header to set the appropriate header for the file, > >> > >>header("Content-Type: application/vnd.ms-excel; name='excel'"); > >>header("Content-Disposition: attachment; filename=" . $filename . > >>".xls"); > >> > >>then use passthru() to send the contents of the file. Use a path for > >>passthru that's above the web root. > >> > >>The key to this though, is to do some checking with PHP to make sure the > >>person is authorized to download the file. Simply doing the above will > >>still allow someone to link directly to file.php?id=23 or whatever, and > >>get the contents. > >> > >>Start a session on another page, the one before the download, and then > >>check for the session in this page, before you send the file. If the > >>session doesn't exist (or a certain variable within it) then don't send > >>the file. > >> > >>---John Holmes... > >> > >> > >> > >>>-----Original Message----- > >>>From: Philip Hess [mailto:[EMAIL PROTECTED]] > >>>Sent: Monday, June 03, 2002 6:09 PM > >>>To: [EMAIL PROTECTED] > >>>Subject: [PHP] Download Script - Newbie Alert > >>> > >>>Hello, > >>> > >>>I would like to allow visitors to my site to download documents > >>> > >>> > >>created > >> > >> > >>>with MS office and .PDF files as well. In order to prevent linking > >>> > >>> > >>from > >> > >> > >>>other sites I'd like to make or modify a script that hides the actual > >>>location of the files. > >>> > >>>A pointer in the right direction would be most appreciated. > >>> > >>>Thanks > >>>--------------------------------------------------------------- > >>>Philip Hess - Pittsburgh, PA USA - Computer Teacher > >>>E-mail: pjh_at_zoominternet.net > >>>Phil's Place (my web site) http://phil.mav.net/ > >>>PA School District Database: http://phil.mav.net/district.hts > >>>--------------------------------------------------------------- > >>> > >>> > >>>-- > >>>PHP General Mailing List (http://www.php.net/) > >>>To unsubscribe, visit: http://www.php.net/unsub.php > >>> > >>> > >> > >>-- > >>PHP General Mailing List (http://www.php.net/) > >>To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > >> > > > > > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
