I'm pretty sure you'll want to keep the $1 part of the rewrite rule, that's what is going to send the querystring to the new request for index.php. Are you having the users log in using php? If so, you can replace your own permission code where I have put: if (isset($_SESSION['userObj'])) { Possibly store the owner ID on the file record and check to make sure it matches the logged in user? $qry= $Conn->GetRow("Select file_type from tbl_file where file_owner = $loggedInOperator and file_name = " . $Conn->Quote($fileName)); Oops, looks like I used GetOne instead of GetRow in my original example. Or am I missing the point somewhere? -jmb Andres Santos wrote: > Thanks Jeff, all i was looking for was the > > RewriteEngine on > RewriteRule ^(.*)$ /get.php?file=download/$1 > > which i mutated to > RewriteEngine on > RewriteRule ^(.*)$ /index.php > > That way nobody can manually access the files. The only way is through a > dinamically generated link: > www.foo.com/get.php?id=$id&hash=$hash > > Where: > $id = file id in mysql table > $hash = md5($filename) > > Of course if someone discovers the filename of a specific file ID, he could > easily get the md5 hash of the filename and get the file. Do you know any > solutions to that? The thing is that user A should not be able by any > meanings to read files from user B. > > I was thinking to combine the $hash value like this: > $hash = md5($filename.'2006#06#04'); > > That means that the hash changes everyday... i still dont know if thats a > good prevention method. Any ideas welcomed. > > Thanks again, > Andres S > > > > > > On 6/5/06, Jeff Bennett <JBennett@xxxxxxxxxxxxx> wrote: > >> put the following in an .htaccess file in the download directory: >> >> RewriteEngine on >> RewriteRule ^(.*)$ /get.php?file=download/$1 >> >> >> >> And then something like this in get.php: >> >> <?php >> if (isset($_GET['file'])) { >> ob_start(); >> require_once('globals.php'); >> $fileName = $_GET['file']; >> $fileBase = basename($fileName); >> >> $qry= $Conn->GetOne("Select file_type from tbl_file where file_name >> = " . $Conn->Quote($fileName)); >> ob_end_clean(); >> if ($qry) { >> if (isset($_SESSION['userObj'])) { >> //has permission >> header("Content-type: {$qry['file_type']}"); >> header("Content-Disposition: filename=\"$fileBase\""); >> readfile($fileName); >> } else { >> // has no permission - not logged in most likely >> echo('HTTP/1.0 403 Forbidden'); >> } >> unset($memberObj); >> } else { >> echo('HTTP/1.0 404 Not Found'); >> } >> } else { >> echo('HTTP/1.0 404 Not Found'); >> } >> ?> >> >> HTH >> >> -jmb >> >> >> Andres Santos wrote: >> >>> Hi. >>> >>> I have a /download directory for my website. I dont want the files to >>> get downloaded just by typing >>> http://www.foo.com/download/some_file.doc because its sensitive >>> information. >>> >>> I was wondering if there's a way to DISABLE the file download through >>> the .htaccess, and then i could get the file with something like: >>> http://www.foo.com/get.php?id=$ID_OF_FILE&hash=MD5($filename)<http://www.foo.com/get.php?id=$ID_OF_FILE&hash=MD5%28$filename%29> >>> >>> >>> Thanks, >>> Andres S. >>> >>> >>> >>> PHP Data object relational mapping generator >>> http://www.metastorage.net/ >>> Yahoo! Groups Links >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> > > > > ------------------------ Yahoo! Groups Sponsor --------------------~--> Home is just a click away. Make Yahoo! your home page now. http://us.click.yahoo.com/DHchtC/3FxNAA/yQLSAA/saFolB/TM --------------------------------------------------------------------~-> PHP Data object relational mapping generator http://www.metastorage.net/ Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-objects/ <*> To unsubscribe from this group, send an email to: php-objects-unsubscribe@xxxxxxxxxxxxxxx <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/