Dan Trainor wrote:
Hello, all - I'm designing a controlled access system in PHP, and it's coming along quite well. It's very simple, and just sets a session varibale, such as $_SESSION['authenticated'] = 1, not a whole lot.
If you do this this, you must make sure you have some sort of session hijacking prevention in place.
Now I run a small sniplet of code on the top of each HTML and PHP file, which checks for this variable, and either allows or denys access to the page. However, how do people protect against the downloading of real files, ones which are not parsed by PHP? .WMV, .MOV, .ZIP, .EXE and so on? I want to protect access to these as well, and if a visitor just types in a URL and is able to access the file because my access control mechanism simply doesn't work on those types of files, what should be the solution here? It's been suggested to use readfile() to accomplish this, by forwarding content from outside of the document root - but this just sounds odd. On top of being (what I think would be) incredibly slow, it just doesn't sound "right".
This works fine for me on one site I maintain, though not with readfile(). When testing readfile() always crapped out at around 2Mb, whereas fopen() and a while loop with fread() working perfectly, even for larger files (up to 200Mb). Not tested this on high traffic, though it all depends on how large you files are.
-- Richard Heyes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
