On Wednesday 06 April 2005 17:02, Charles Hamel wrote: > "Duncan Hill" <dhill+php@xxxxxxxxxxxx> wrote in message > news:200504061633.44950.dhill+php@xxxxxxxxxxxxxxx > > One way to handle this is to write a wrapper script that accepts the file > > name > > as a parameter. The script verifies that the user is allowed to access > Can you provide a little more infos about wrapper scripts ... first time > earing about this expession. > > Can this script be written in php ... or it is some kind of cgi? Any http://lists.evolt.org/archive/Week-of-Mon-20011224/064591.html has some sample code to do with forcing IE to download a file where it can't determine the mime type properly. This forms the core of being able to feed a file to a browser when a .php file is called. The rough flow of the code would be: 1) Check that the user is authenticated. Kick them out if they aren't. 2) (Optional) Check that the user is allowed to access the file being requested. This might be a MySQL DB lookup, a secret word request, whatever. 3) Check that the file exists. Even better, rather than feed a file name, store a mapping of a unique ID to real file name in a data source of some type, and throw the ID around. You can enforce the format of the ID etc to avoid attacks against your system. 4) If all is good, use the code linked above (in some form) to feed the file to the browser. The user will get a Save dialog box in pretty much any browser. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
