On Thu, 2006-04-27 at 00:18, Peter Lauri wrote: > Best group member, > > > > I am creating a file system class. I will have a web based document center > with different access roles. All users in the system will not be able to > view the files. It will all be run thru the web tool. > > > > I will have a class that is called file. That file can give an authorized > user access to a specific file. What I do not want to do is to show them the > location of the file. And if they some how finds out the location of the > file, I do not want them to be able to type > http://www.domain.com/files/important.doc and download the file. > > > > Should I put the files outside of the web file system (outside of httpdocs) > so that they can not get the file thru the web browser? > > > > Or should I save the docs in a database instead and control the access thru > that? > > > > Is there anyone with comments? Is it anyone with experience about this? Put them outside web folder, if that's not possible place a .htaccess lock on their directory. When a file is requested, make the request pass through a script that can validate access and then use readfile() to output it directly to the user's browser. You should set appropriate headers for the file to let the user's browser know how to save it. That information can be kept in the database table, while you keep the file on the filesystem where it belongs :) Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php