File with no link

Re: File with no link

>I have a link on my web page. When clicked, opens up a pdf file that is[color=blue]
>stored on my server. Every file is specific to a user's user name and I
>don't want users to see each other's files.
>For example:
>When User1 clicks on the link, it opens up
>http://mydomain.com/files/user1.pdf
>and when User2 clicks on the link, it opens up
>http://mydomain.com/files/user2.pdf.
>
>So, if User1 knows about User2, he can see User2's pdf file.
>
>How can I make the file open up in a different window without the file
>path in the address bar?[/color]

Make sure that there is *NO* URL that can be used to obtain
the file for a user unless the person is logged in as that user.
Provide one URL that can be used by a user to get their own file.

Write a PHP script, say, pdf.php, which does the following:

1. Determines if the user is logged in, if not, rejects the request.
2. Opens the .pdf file (located *outside* the web server document root)
for the logged in user, using the username as part of the path
name somehow. Or, it could generate the pdf file on the fly.
3. Outputs a content-type header for a pdf file.
4. Calls fpassthru() on the file opened in #2.

The user clicks on a link to pdf.php, and they get *their* pdf file.

Gordon L. Burditt

Re: File with no link

Thanks Gordon,
Your solution totally makes sense. Once I know the user is logged in, I
determine what is his file name. Then I open a file stream to that
file, and using fpassthru() spit it out.

I can totally see how to implement this. However, I was wondering if
there is a PHP function that takes a file name (located on the server)
as input, and pops up a window with the PDF file in it. Or even prompts
the user to save the file. This way, there is no URL in the story. And
hence, no privacy issues.

I would appreciate any idea.
Thanks.
Usman


Gordon Burditt wrote:[color=blue][color=green]
> >I have a link on my web page. When clicked, opens up a pdf file that is
> >stored on my server. Every file is specific to a user's user name and I
> >don't want users to see each other's files.
> >For example:
> >When User1 clicks on the link, it opens up
> >http://mydomain.com/files/user1.pdf
> >and when User2 clicks on the link, it opens up
> >http://mydomain.com/files/user2.pdf.
> >
> >So, if User1 knows about User2, he can see User2's pdf file.
> >
> >How can I make the file open up in a different window without the file
> >path in the address bar?[/color]
>
> Make sure that there is *NO* URL that can be used to obtain
> the file for a user unless the person is logged in as that user.
> Provide one URL that can be used by a user to get their own file.
>
> Write a PHP script, say, pdf.php, which does the following:
>
> 1. Determines if the user is logged in, if not, rejects the request.
> 2. Opens the .pdf file (located *outside* the web server document root)
> for the logged in user, using the username as part of the path
> name somehow. Or, it could generate the pdf file on the fly.
> 3. Outputs a content-type header for a pdf file.
> 4. Calls fpassthru() on the file opened in #2.
>
> The user clicks on a link to pdf.php, and they get *their* pdf file.
>
> Gordon L. Burditt[/color]

Re: File with no link

>Your solution totally makes sense. Once I know the user is logged in, I[color=blue]
>determine what is his file name. Then I open a file stream to that
>file, and using fpassthru() spit it out.[/color]

You do this in a .php file which as far as the user is concerned
*is* the pdf file. And you can put in as many security checks
as you like before delivering the file.
[color=blue]
>I can totally see how to implement this. However, I was wondering if
>there is a PHP function that takes a file name (located on the server)[/color]
*OUTSIDE THE DOCUMENT TREE*[color=blue]
>as input, and pops up a window with the PDF file in it.[/color]

It's not that hard to do using a combination of fopen(), fpassthru(),
(inside the script I suggested) and outputting some HTML that points
at the script I suggested.
[color=blue]
>Or even prompts[/color]

If you want to pop up a window, that requires HTML. Or Javascript,
which is Turned Off(tm). And as far as I know, either requires a
URL for what to put *in* the window. That's where the script I
suggested comes in. I consider popping up a window to be obnoxious
behavior so I don't remember how to do it.
[color=blue]
>the user to save the file. This way, there is no URL in the story. And
>hence, no privacy issues.[/color]

The URL to the PHP script I suggested gives the user his *own* pdf
file. It's like the "View my Statement" link on my bank's website.
It's the same link for every user (but delivers different info),
and it gives an error message to those not logged in. Publish it
to the world: if your login system has decent security, it's not
a problem. If your login system does not have decent security,
you're in deep trouble anyway.

Since the .pdf files for individual users are outside the document
tree, you can make those paths public, too, since nobody can
access them. Nobody will see the paths when they access the
files in the normal way. However, making the paths public provides
a specific target for someone hacking your system or sending you
a virus, so I suggest not making them public. There's no innocent
use of those paths directly by users anyway.
[color=blue]
>Gordon Burditt wrote:[color=green][color=darkred]
>> >I have a link on my web page. When clicked, opens up a pdf file that is
>> >stored on my server. Every file is specific to a user's user name and I
>> >don't want users to see each other's files.
>> >For example:
>> >When User1 clicks on the link, it opens up
>> >http://mydomain.com/files/user1.pdf
>> >and when User2 clicks on the link, it opens up
>> >http://mydomain.com/files/user2.pdf.
>> >
>> >So, if User1 knows about User2, he can see User2's pdf file.
>> >
>> >How can I make the file open up in a different window without the file
>> >path in the address bar?[/color]
>>
>> Make sure that there is *NO* URL that can be used to obtain
>> the file for a user unless the person is logged in as that user.
>> Provide one URL that can be used by a user to get their own file.
>>
>> Write a PHP script, say, pdf.php, which does the following:
>>
>> 1. Determines if the user is logged in, if not, rejects the request.
>> 2. Opens the .pdf file (located *outside* the web server document root)
>> for the logged in user, using the username as part of the path
>> name somehow. Or, it could generate the pdf file on the fly.
>> 3. Outputs a content-type header for a pdf file.
>> 4. Calls fpassthru() on the file opened in #2.
>>
>> The user clicks on a link to pdf.php, and they get *their* pdf file.
>>
>> Gordon L. Burditt[/color]
>[/color]

Re: File with no link

Ozz schrieb:[color=blue]
> Hi there,[/color]

I posted an alternative suggestion in alt.php. Please, if you post the
same question to several newsgroups, do crosspost (post it to all groups
at once) and not multipost (post it to each group separately)!
Multiposting makes people answer questions already answered in another
group, and thus is considered as wasting people's time.

--
Markus

Re: File with no link


Markus Ernst wrote:[color=blue]
> Ozz schrieb:[color=green]
> > Hi there,[/color]
>
> I posted an alternative suggestion in alt.php. Please, if you post the
> same question to several newsgroups, do crosspost (post it to all groups
> at once) and not multipost (post it to each group separately)!
> Multiposting makes people answer questions already answered in another
> group, and thus is considered as wasting people's time.
>
> --
> Markus[/color]

I believe htacces could help you to force them to download, but still
user.pdf would appear in the browser's history ...


Frizzle.

Re: File with no link

Thanks for pointing out Markus,
I wasn't aware of cross-posting. It sounds like an appropriate thing to
do. Will do it properly next time.

Cheers,
Usman

Markus Ernst wrote:[color=blue]
> Ozz schrieb:[color=green]
> > Hi there,[/color]
>
> I posted an alternative suggestion in alt.php. Please, if you post the
> same question to several newsgroups, do crosspost (post it to all groups
> at once) and not multipost (post it to each group separately)!
> Multiposting makes people answer questions already answered in another
> group, and thus is considered as wasting people's time.
>
> --
> Markus[/color]