Re: restricted file access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Through PHP you can access the filesystem, so the folder containing your documents doesn't even have to be on the website. 
I would do this way:
<A HREF="getfile.php?filename=something.doc">Click here</A>

And in the PHP file:

file_get_contents(DOCFOLDER . $_GET['filename'])

or something like this.

SanTa
----- Original Message ----- From: "Angelo Zanetti" <angelo@xxxxxxxxxxxxxxx> 
To: "'tedd'" <tedd.sperling@xxxxxxxxx>; <php-general@xxxxxxxxxxxxx>
Sent: Thursday, August 28, 2008 10:50 AM
Subject: RE:  restricted file access



Thanks for your reply.

But what happens if the file is situated here:

www.site.com/include/documents/file.doc
and someone knows that path file somehow or they get a program to crawl the 
site. Then they would be able to get that file. How do we prevent that?

Thanks in advance.




-----Original Message-----
From: tedd [mailto:tedd.sperling@xxxxxxxxx]
Sent: 27 August 2008 17:29
To: php-general@xxxxxxxxxxxxx
Subject: Re:  restricted file access

At 4:13 PM +0200 8/27/08, Angelo Zanetti wrote:

Hi all,

We have a site and we have created an admin section where the admin can
upload documents.

We have made a user login section where they can view a list of the
documents (from the DB) and download the file.

We want to make the site however not allow ppl to type in the path of the
document and retrieve the file. How is this accomplished?

Are the documents stored in a hidden / non-web accessible directory?

Or is this restricted with APACHE?

Please advise



Well...none of the above.

I would have a php script deliver the files and not allow the user to
see the path.

Here's an example:

http://php1.net/b/file-browser/index.php

It would be a simple matter not to show the path but rather just show
what's available to the user and then let the php script deliver the
product to the user via a common url, like the demo does.

In other words, the most that any user can get is the path to one
spot where your script deposits the file for download.

Cheers,

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux