Dan Trainor said the following on 10/27/2005 10:39 AM:
Jason Motes wrote:
However, how do people protect against the downloading of real files, ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I want to protect access to these as well, and if a visitor just types in a URL and is able to access the file because my access control mechanism simply doesn't work on those types of files, what should be the solution here?
<snip>
I'd like to keep the application as portable as possible; thus, I cannot use any kind of htaccess hackery because I want this PHP application to run on IIS, as well.
Move the files outside the document root so that they aren't available via a direct URL, then create a 'file access page' in php that will check for the session variable and either send or not send the file based on whether the user has access.
- Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
