On Sun, September 24, 2006 11:44 pm, Ramiro wrote: > i'm trying to find a good solution to this problem. I want download > files > from a directory outside DocumentRoot. > > This files cannot be downloaded through direct url like > http://site/test.zip. It must be downloaded after user login. > > I know i can do that using some functions like fread() + fopen() or > readfile(), than i would echo file buffer to browser with correct > headers. > But, reading then dumping file to browser is a big problem to server. > > I've made one test that shows me i will "eat" 1.8% of RAM (i've used > "ps > aux" at Linux, in a server with 2Gb of RAM) to download a 30Mb file at > 60kb/s speed. So, imagine what a dump-php-script can do with 50 to 100 > concurrently downloads. Probably i will need 1 TeraByte of RAM to > provide > downloads ;) Which did you use? readfile() or fopen/fread Because readfile() probably WILL cause that problem. But fopen/fread with a small buffer will allow many more concurrent downloads to "share" the RAM, but will also use as much RAM as is available, if nothing else is going on... I suspect your test is flawed, in other words. :-) > > Theres my question now. Is there other way to protect files against > direct > downloading? (Obligating users to login and denying direct-url's). Well, there's HTTP Authentication. There's time-specific URLs. There's all kinds of ways to protect a directory and require login... > I also know i can check referer by using Mod_Rewrite at Apache. But it > isn't > secure, since referer cannot be sent or be fake. > header('Content-Description: File Transfer'); > header('Content-Type: application/force-download'); > header("Content-Disposition: attachment; > filename=\"".basename($url)."\";"); Bogus, bogus, bogus. Please read this rant: http://richardlynch.blogspot.com/ > header('Content-Length: ' . filesize($url)); > @readfile($url) OR die(); Yup, readfile() That's a big difference right there... fopen/fread != readfile -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
