Secure File

Re: Secure File

On Fri, 19 Dec 2003 13:38:37 -0500, Wes wrote:
[color=blue]
> I have sessions working where individual users have their own person
> information and can't view others personal info... The problem is, the
> sessions block them in php but I can't block them from files that I can't
> have the session security.
>
> I tried imbedding the file into a secured php file but it did not work, my
> code is below that I used. For reference, 00231 is the username to login
> so it checks if the username is the same etc.
>
> <?
> // Agent Access - secure page
>
> // session check
> session_start() ;
> if ($SESSION_UNAME != "00231" )
> {
> // if session check fails, invoke error handler header("Locatio n:
> error.php?e=2") ;
> exit();
> }
> require("http://www.cmiteam.com/privagents/contests/test.pdf");
> ?>[/color]


Store the PDF (and whatnot) in a directory outside of your Web accessible
directories and write a small download function to download the files. As
they're read in via the PHP script for downloading, they don't physically
need to be accessible by the Web, meaning people can't bypass your script
and access them directly. This enables you to limit access depending on
your session data.

Have the URIs such as:


<http://domain.com/privagents/contents/download.php/1


Then the likes of:


<?php
$path_info = explode('/', $_SERVER['PATH_INFO']);
$file_id = intval($path_in fo[1]);

download_file($ file_id);
?>


Write the download_file(i nt ID) function to read the filename and details
from a database or equivalent and send a binary header so that the file
downloads (I'll leave this as an educational experience).


HTH =)



Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.ne t | forum.digiserv. net
Programming, Web design, development & hosting.

Re: Secure File

Thank you Ian.H for your reply.

I will try your suggestion out.

Wes

"Ian.H" <ian@WINDOZEdig iserv.net> wrote in message
news:pan.2003.1 2.20.01.51.23.8 02330@hybris.di giserv.net...[color=blue]
> On Fri, 19 Dec 2003 13:38:37 -0500, Wes wrote:
>[color=green]
> > I have sessions working where individual users have their own person
> > information and can't view others personal info... The problem is, the
> > sessions block them in php but I can't block them from files that I[/color][/color]
can't[color=blue][color=green]
> > have the session security.
> >
> > I tried imbedding the file into a secured php file but it did not work,[/color][/color]
my[color=blue][color=green]
> > code is below that I used. For reference, 00231 is the username to[/color][/color]
login[color=blue][color=green]
> > so it checks if the username is the same etc.
> >
> > <?
> > // Agent Access - secure page
> >
> > // session check
> > session_start() ;
> > if ($SESSION_UNAME != "00231" )
> > {
> > // if session check fails, invoke error handler header("Locatio n:
> > error.php?e=2") ;
> > exit();
> > }
> > require("http://www.cmiteam.com/privagents/contests/test.pdf");
> > ?>[/color]
>
>
> Store the PDF (and whatnot) in a directory outside of your Web accessible
> directories and write a small download function to download the files. As
> they're read in via the PHP script for downloading, they don't physically
> need to be accessible by the Web, meaning people can't bypass your script
> and access them directly. This enables you to limit access depending on
> your session data.
>
> Have the URIs such as:
>
>
> <http://domain.com/privagents/contents/download.php/1
>
>
> Then the likes of:
>
>
> <?php
> $path_info = explode('/', $_SERVER['PATH_INFO']);
> $file_id = intval($path_in fo[1]);
>
> download_file($ file_id);
> ?>
>
>
> Write the download_file(i nt ID) function to read the filename and details
> from a database or equivalent and send a binary header so that the file
> downloads (I'll leave this as an educational experience).
>
>
> HTH =)
>
>
>
> Regards,
>
> Ian
>
> --
> Ian.H [Design & Development]
> digiServ Network - Web solutions
> www.digiserv.net | irc.digiserv.ne t | forum.digiserv. net
> Programming, Web design, development & hosting.
>[/color]