Ben wrote: > Dan Trainor said the following on 10/27/2005 01:34 PM: > >> Ben wrote: >> >>> Move the files outside the document root so that they aren't available >>> via a direct URL, then create a 'file access page' in php that will >>> check for the session variable and either send or not send the file >>> based on whether the user has access. >>> >>> - Ben >>> >> >> >> Ben - >> >> I knew this, but it was the "send or not send" thing that I was >> concerned about ;) > > > Sounds like you need to have a look here: > http://ca3.php.net/manual/en/ref.filesystem.php > > and specifically here: > http://ca3.php.net/manual/en/function.fpassthru.php > > and so you can set the proper headers: > http://ca3.php.net/manual/en/function.filetype.php > > The on-line manual is your friend :-). > > Also, you will want to be _very_ careful about ensuring that the file > you are sending is in fact the file you want to be sending (ie > /etc/passwd would be a no-no). > > - Ben > Ben - Yes, I've been playing with passthru() today, and it's quite interesting. I think it's going to work. I made a little pass-through (pardon the pun) scriupt to do exactly what I'm looking for. I've already started working on a set of sanity checks and such for the requested files to prevent such malicious activity. I want to thank you all again for your help. Thanks! -dant -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
