"Duncan Hill" <dhill@xxxxxxxxxxxx> wrote in message news:200504061743.25667.dhill@xxxxxxxxxxxxxxx > On Wednesday 06 April 2005 17:02, Charles Hamel wrote: >> "Duncan Hill" <dhill+php@xxxxxxxxxxxx> wrote in message >> news:200504061633.44950.dhill+php@xxxxxxxxxxxxxxx >> > One way to handle this is to write a wrapper script that accepts the >> > file >> > name >> > as a parameter. The script verifies that the user is allowed to access > >> Can you provide a little more infos about wrapper scripts ... first time >> earing about this expession. >> >> Can this script be written in php ... or it is some kind of cgi? Any > > http://lists.evolt.org/archive/Week-of-Mon-20011224/064591.html has some > sample code to do with forcing IE to download a file where it can't > determine > the mime type properly. This forms the core of being able to feed a file > to > a browser when a .php file is called. > > The rough flow of the code would be: > 1) Check that the user is authenticated. Kick them out if they aren't. > 2) (Optional) Check that the user is allowed to access the file being > requested. This might be a MySQL DB lookup, a secret word request, > whatever. > 3) Check that the file exists. Even better, rather than feed a file name, > store a mapping of a unique ID to real file name in a data source of some > type, and throw the ID around. You can enforce the format of the ID etc > to > avoid attacks against your system. > 4) If all is good, use the code linked above (in some form) to feed the > file > to the browser. The user will get a Save dialog box in pretty much any > browser. I am all set guys .... thanks ... What would I do without the community? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
