Re: Securing file access

["James Barkley" <James.Barkley () noaa gov>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<?php
if (!function_exists ("mime_content_type")) {
~  function mime_content_type ($file) { return exec ("file -bikn \"" .
escapeshellcmd($file) . "\""); }
}
if (!user_is_logged_in() || !user_has_access_to_doc($doc_id)) { print
"error"; exit; }
if ($doc_id) {
~        $query = "select  name from docs where doc_id=$doc_id";
~        $result = db_query($query);

~        if (db_numrows($result) < 1) { print "error"; exit; }
~        else { $row = db_fetch_array($result); }

~        $mimt = mime_content_type($FILES_DIR.$row['name']);
~        if (!$mimt) { $mimt = "application/octet-stream"; }
~        header("Content-Type: $mimt");
~        header('Content-disposition: inline');
~        $fexist = readfile($FILES_DIR.$row['name']);
} else { exit_error("No document data.","No document to display -
invalid or inactive document number."); }
?>

robbin wrote:

| Script the retrieval and just put the file out there, basically you
| have to open the file and put it to the web page with the
| appropriate header so that the user will be prompted for a download,
| save as pop box.  I've done this in perl,
|
|    print header(-type=>"application/x-download",
|                -attachment=>"$fullyqualifiedfilename",
|                );
|    open (DWNLD,"<$file");
|    binmode(DWNLD);
|    $/ = undef;
|    my $zip = <DWNLD>;
|    close (DWNLD);
|
|    binmode(STDOUT);
|    print $zip;
|
| Hope example helps.
|
| Robbin
|
|
| John M. L. wrote:
|
|> I have a project that involves a members only area on web page on IIS.
|> The members' only area is secured by a database (MS Access) so
|> users are
|> authenticated by their name and some MD5 hash etc.  I need to allow
|> files
|> (mostly PDFs) for download to authenticated users only.  In my
|> opinion this
|> means that the files can not be stored in any www accessible folder
|> (regardless of any renaming convention etc, I absolutely cannot
|> have someone
|> guess a file name to download).  In order to access the files, the
|> database
|> would link a file to a unique id, so a page that validates the user
|> would
|> then give access to the file stored outside of the www on the
|> server.  Now,
|> this is where the real question lies.  How is this possible since
|> the files
|> are not in a www accessible path, since a mere link to a file won't
|> due.
|> Any thoughts would be welcome.  If I'm going about this completely
|> wrong
|> that would be nice to no too :)  Forgive me if the answer is
|> simple, I'm a
|> Linux fan and haven't used IIS etc for years.
|> One more note: IIS, MS Access and VBScript are not my technologies of
|> choice, but merely what I was given to work with.  I also have very
|> limited
|> control over administering IIS.
|>
|> John
|> www.recaffeinated.com
|>
|>
|>
|>  
|>
|
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBW8y3BtvwQGcl/zERAn6OAJ4qBlIC96PtUFXvAIKHv6WAR9LIAACdGeJZ
x8kYrEV1CsS2dIFvvotLrYs=
=7FBt
-----END PGP SIGNATURE-----