Nitsan Bin-Nun wrote:
On Sat, May 30, 2009 at 7:02 PM, Ashley Sheridan
<ash@xxxxxxxxxxxxxxxxxxxx <mailto:ash@xxxxxxxxxxxxxxxxxxxx>> wrote:
On Sat, 2009-05-30 at 17:54 +0200, Nitsan Bin-Nun wrote:
> That's the verification that my layer does. I'm not sure whether
that's
> enough or not.
>
> On Sat, May 30, 2009 at 4:43 PM, Michael A. Peters
<mpeters@xxxxxxx <mailto:mpeters@xxxxxxx>> wrote:
>
> > Nitsan Bin-Nun wrote:
> >
> > On Sat, May 30, 2009 at 3:26 PM, Michael A. Peters
<mpeters@xxxxxxx <mailto:mpeters@xxxxxxx><mailto:
> >> mpeters@xxxxxxx <mailto:mpeters@xxxxxxx>>> wrote:
> >>
> >> Nitsan Bin-Nun wrote:
> >>
> >> Hi
> >>
> >> I have wrote a file uploader in PHP, and I don't want
people to
> >> hijack it
> >> (get direct links, download whenever they want, etc).
> >>
> >> Currently I have placed the uploaded files one
directory up from
> >> the www
> >> root, and I'm hosting the files mime type in order to
serve them
> >> on the fly.
> >>
> >> I'm trying to think how should I secure this website, I
don't
> >> want people to
> >> get direct links,etc.
> >>
> >> Currently the links are being check with the
$_SERVER['refer']
> >> variables and
> >> it being compared to the one in my config file.
> >>
> >> Any ideas will be very appreciated! Thanks!
> >>
> >>
> >> By the way, does this file serving feature takes a lot
of load
> >> from the
> >> server? if so then what are the other options? can I
serve these
> >> files w/o
> >> PHP involved? lets say only by some sort of apache
module or
> >> anything like
> >> that?
> >>
> >>
> >> What I do -
> >>
> >> Files for restricted access are outside the web root.
> >> php wrapper script verifies the credentials of user to
download the
> >> file (IE via a post token, session ID, etc.) and if
allowed, it then
> >> sends the real file.
> >>
> >> I use mod_rewrite (apache) to send requests for the real
file to the
> >> php wrapper script so that the linked file has the same
name as the
> >> real file (lets me use the same wrapper for lots of
different files).
> >>
> >> As far as load on the server, no - I don't think it costs a
lot as
> >> far as system resources.
> >>
> >>
> >>
> >> Thank you for the fast answer.
> >>
> >> I'm doing the same regarding the php wrapper layer, but the
thing is that
> >> I just don't know what verification exams should I do in the
php wrapping
> >> layer.
> >> I'm not sure what is the way that it should be done.
> >>
> >
> > I check the referrer, assuming no other credential is required,
if it is
> > from an approved site or not sent (some people disable sending the
> > http_referrer in their browser), I allow it. Otherwise I don't.
> >
That should be fine for downloading files. There will be an issue if
they are media files and you want to play them from a browser plugin, as
no plugin I've ever seen actually passes the referrer header.
Ash
www.ashleysheridan.co.uk <http://www.ashleysheridan.co.uk>
I'm sending downloading headers, there will be no options of playing it
from the browser's plugin.
Thank you both for your comments. I have decided that referrer check is
enough for now :)
Nitsan
If you really want to be sure, you can use session variables with a
download wrapper.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
