On Sat, 2009-05-30 at 17:54 +0200, Nitsan Bin-Nun wrote: > That's the verification that my layer does. I'm not sure whether that's > enough or not. > > On Sat, May 30, 2009 at 4:43 PM, Michael A. Peters <mpet...@mac.com> wrote: > > > Nitsan Bin-Nun wrote: > > > > On Sat, May 30, 2009 at 3:26 PM, Michael A. Peters <mpet...@mac.com<mailto: > >> mpet...@mac.com>> wrote: > >> > >> Nitsan Bin-Nun wrote: > >> > >> Hi > >> > >> I have wrote a file uploader in PHP, and I don't want people to > >> hijack it > >> (get direct links, download whenever they want, etc). > >> > >> Currently I have placed the uploaded files one directory up from > >> the www > >> root, and I'm hosting the files mime type in order to serve them > >> on the fly. > >> > >> I'm trying to think how should I secure this website, I don't > >> want people to > >> get direct links,etc. > >> > >> Currently the links are being check with the $_SERVER['refer'] > >> variables and > >> it being compared to the one in my config file. > >> > >> Any ideas will be very appreciated! Thanks! > >> > >> > >> By the way, does this file serving feature takes a lot of load > >> from the > >> server? if so then what are the other options? can I serve these > >> files w/o > >> PHP involved? lets say only by some sort of apache module or > >> anything like > >> that? > >> > >> > >> What I do - > >> > >> Files for restricted access are outside the web root. > >> php wrapper script verifies the credentials of user to download the > >> file (IE via a post token, session ID, etc.) and if allowed, it then > >> sends the real file. > >> > >> I use mod_rewrite (apache) to send requests for the real file to the > >> php wrapper script so that the linked file has the same name as the > >> real file (lets me use the same wrapper for lots of different files). > >> > >> As far as load on the server, no - I don't think it costs a lot as > >> far as system resources. > >> > >> > >> > >> Thank you for the fast answer. > >> > >> I'm doing the same regarding the php wrapper layer, but the thing is that > >> I just don't know what verification exams should I do in the php wrapping > >> layer. > >> I'm not sure what is the way that it should be done. > >> > > > > I check the referrer, assuming no other credential is required, if it is > > from an approved site or not sent (some people disable sending the > > http_referrer in their browser), I allow it. Otherwise I don't. > > That should be fine for downloading files. There will be an issue if they are media files and you want to play them from a browser plugin, as no plugin I've ever seen actually passes the referrer header.
Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
