Ah I think I see what you are trying to do by removing the $1. You are
tying to trap any direct access to the downloads directory?
My example turns www.foo.com/downloads/somefile.doc into
www.foo.com/get.php?file=downloads/somefile.doc then get.php does
security validation and then serves the file through itself.
-jmb
Andres Santos wrote:
> Thanks Jeff, all i was looking for was the
>
> RewriteEngine on
> RewriteRule ^(.*)$ /get.php?file=download/$1
>
> which i mutated to
> RewriteEngine on
> RewriteRule ^(.*)$ /index.php
>
> That way nobody can manually access the files. The only way is through a
> dinamically generated link:
> www.foo.com/get.php?id=$id&hash=$hash
>
> Where:
> $id = file id in mysql table
> $hash = md5($filename)
>
> Of course if someone discovers the filename of a specific file ID, he could
> easily get the md5 hash of the filename and get the file. Do you know any
> solutions to that? The thing is that user A should not be able by any
> meanings to read files from user B.
>
> I was thinking to combine the $hash value like this:
> $hash = md5($filename.'2006#06#04');
>
> That means that the hash changes everyday... i still dont know if thats a
> good prevention method. Any ideas welcomed.
>
> Thanks again,
> Andres S
>
>
>
>
>
> On 6/5/06, Jeff Bennett <JBennett@xxxxxxxxxxxxx> wrote:
>
>> put the following in an .htaccess file in the download directory:
>>
>> RewriteEngine on
>> RewriteRule ^(.*)$ /get.php?file=download/$1
>>
>>
>>
>> And then something like this in get.php:
>>
>> <?php
>> if (isset($_GET['file'])) {
>> ob_start();
>> require_once('globals.php');
>> $fileName = $_GET['file'];
>> $fileBase = basename($fileName);
>>
>> $qry= $Conn->GetOne("Select file_type from tbl_file where file_name
>> = " . $Conn->Quote($fileName));
>> ob_end_clean();
>> if ($qry) {
>> if (isset($_SESSION['userObj'])) {
>> //has permission
>> header("Content-type: {$qry['file_type']}");
>> header("Content-Disposition: filename=\"$fileBase\"");
>> readfile($fileName);
>> } else {
>> // has no permission - not logged in most likely
>> echo('HTTP/1.0 403 Forbidden');
>> }
>> unset($memberObj);
>> } else {
>> echo('HTTP/1.0 404 Not Found');
>> }
>> } else {
>> echo('HTTP/1.0 404 Not Found');
>> }
>> ?>
>>
>> HTH
>>
>> -jmb
>>
>>
>> Andres Santos wrote:
>>
>>> Hi.
>>>
>>> I have a /download directory for my website. I dont want the files to
>>> get downloaded just by typing
>>> http://www.foo.com/download/some_file.doc because its sensitive
>>> information.
>>>
>>> I was wondering if there's a way to DISABLE the file download through
>>> the .htaccess, and then i could get the file with something like:
>>> http://www.foo.com/get.php?id=$ID_OF_FILE&hash=MD5($filename)<http://www.foo.com/get.php?id=$ID_OF_FILE&hash=MD5%28$filename%29>
>>>
>>>
>>> Thanks,
>>> Andres S.
>>>
>>>
>>>
>>> PHP Data object relational mapping generator
>>> http://www.metastorage.net/
>>> Yahoo! Groups Links
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
>
>
------------------------ Yahoo! Groups Sponsor --------------------~-->
Get to your groups with one click. Know instantly when new email arrives
http://us.click.yahoo.com/.7bhrC/MGxNAA/yQLSAA/saFolB/TM
--------------------------------------------------------------------~->
PHP Data object relational mapping generator
http://www.metastorage.net/
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/php-objects/
<*> To unsubscribe from this group, send an email to:
php-objects-unsubscribe@xxxxxxxxxxxxxxx
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
