At 01:44 AM 9/25/2006, Ramiro wrote:
Hi, i'm trying to find a good solution to this problem. I want download files from a directory outside DocumentRoot. This files cannot be downloaded through direct url like http://site/test.zip. It must be downloaded after user login. I know i can do that using some functions like fread() + fopen() or readfile(), than i would echo file buffer to browser with correct headers. But, reading then dumping file to browser is a big problem to server. I've made one test that shows me i will "eat" 1.8% of RAM (i've used "ps aux" at Linux, in a server with 2Gb of RAM) to download a 30Mb file at 60kb/s speed. So, imagine what a dump-php-script can do with 50 to 100 concurrently downloads. Probably i will need 1 TeraByte of RAM to provide downloads ;) Theres my question now. Is there other way to protect files against direct downloading? (Obligating users to login and denying direct-url's). I also know i can check referer by using Mod_Rewrite at Apache. But it isn't secure, since referer cannot be sent or be fake. Please, help me ;) Thank you ! -------- Script i used to test: <? $url = "test.tar.gz"; header('Content-Description: File Transfer'); header('Content-Type: application/force-download'); header("Content-Disposition: attachment; filename=\"".basename($url)."\";"); header('Content-Length: ' . filesize($url)); @readfile($url) OR die(); ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
This is the contents of a script used to fetch .swf's. The script is called from a Flash movie.
$filenam = $_REQUEST["filenam"]; if ($filenam){ $contents = file_get_contents( "../above_root/" . $filenam ); echo $contents; }else{ echo "Not found"; } HTH - Miles -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.8/455 - Release Date: 9/22/2006 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php