I use a download script to allow users to download files that are not in a
publicly accessible directory. The files should only be downloadable from a
secure page which only authenticated users have access to. But how do I
prevent someone from running the download script? The hyperlinks in the
secure page point to the download script which is in a public directory. If
the script is not in a public directory, the links fail.
The secure page look like this:
<?php
session_start() ;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'>
<link href='../../style.css' rel='stylesheet ' type='text/css'>
<title>Secure Page</title>
</head>
<?php
if (validate($_SES SION'uid]'))
{
[echo a bunch of html with hyperlinks]
<a href='mydownloa dscript.php?nav =somefile.zip'> somefile.zip
}
The download script looks like this:
<?php
$filename = ($_GET[nav]);
$dlfile = "/home/private/directory/".$filename ;
header("Content-Disposition: attachment; filename=".$fil ename);
header("Content-Length: ".filesize($dlf ile));
readfile($dlfil e);
?>
Obviously, this isn't secure because someone could guess (or sniff) the
filename. I've tried to do something like this:
[mydownloadscrip t.php]
<?php
session_start()
if ($_SESSION['uid'])
{
$filename = ($_GET[nav]);
$dlfile = "/home/private/directory/".$filename ;
header("Content-Disposition: attachment; filename=".$fil ename);
header("Content-Length: ".filesize($dlf ile));
readfile($dlfil e);
}
?>
but then readfile() fails because of problems with the header information
caused by session_start() .
Is there a better way? Other alternatives?
Thanks in advance.
publicly accessible directory. The files should only be downloadable from a
secure page which only authenticated users have access to. But how do I
prevent someone from running the download script? The hyperlinks in the
secure page point to the download script which is in a public directory. If
the script is not in a public directory, the links fail.
The secure page look like this:
<?php
session_start() ;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'>
<link href='../../style.css' rel='stylesheet ' type='text/css'>
<title>Secure Page</title>
</head>
<?php
if (validate($_SES SION'uid]'))
{
[echo a bunch of html with hyperlinks]
<a href='mydownloa dscript.php?nav =somefile.zip'> somefile.zip
}
The download script looks like this:
<?php
$filename = ($_GET[nav]);
$dlfile = "/home/private/directory/".$filename ;
header("Content-Disposition: attachment; filename=".$fil ename);
header("Content-Length: ".filesize($dlf ile));
readfile($dlfil e);
?>
Obviously, this isn't secure because someone could guess (or sniff) the
filename. I've tried to do something like this:
[mydownloadscrip t.php]
<?php
session_start()
if ($_SESSION['uid'])
{
$filename = ($_GET[nav]);
$dlfile = "/home/private/directory/".$filename ;
header("Content-Disposition: attachment; filename=".$fil ename);
header("Content-Length: ".filesize($dlf ile));
readfile($dlfil e);
}
?>
but then readfile() fails because of problems with the header information
caused by session_start() .
Is there a better way? Other alternatives?
Thanks in advance.
Comment