But what if you have huge files, won't they slow down your server?
And isn't the download-time of the file then limited to the
maximum-execution-time of a php-script?
Ian.H [dS] wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Whilst lounging around on 5 Aug 2003 08:23:11 -0700,
> [email]dtashleyesrg.org[/email] (David T. Ashley) amazingly managed to produce the
> following with their Etch-A-Sketch:
>>How can I hide the "origin" of a file so that a user can't get to
>>it except for through PHP? Here is the scenario:
>>I have an issues database where with each issue a user might attach
>>relevant files. A typical file might be a .PDF or .ZIP file.
>>These files would be uploaded to the server via POST, under PHP
>>To store the files, the mechanism I had in mind was to use two
>>prime numbers to hash the file down into a directory based on a
>>database index (for performance reasons), so a file myfile.pdf
>>might be at this location:
>>I would envision that the entire directory structure
>>/var/www/htdocs and below is visible to an Apache server.
>>Uploading is easy, but ...
>>When a user retrieves the file, a database would present a
>>hyperlink to him with the link
>>The problem is that even after the user is done retrieving the file
>>via a link presented to him, he can still get to that file later
>>directly using the URL. He can also "fish" around in the directory
>>structure and perhaps find files that he should not view.
>>What is the best way to present files (with information stored in a
>>MySQL database) so that the user can get to files only at the time
>>the download link is presented to him and also only those files!
> Store the files outside of the Web accessible directory, read the
> file and send with the relevant mime-type header.
> I've just implementing / implemented this as a phpBB mod on a forum..
> although I have user definable mime-types in mysql, you could
> hardcode these according to the file extension. Then the only way
> someone could attempt to get it would be as
> yourdomain.com/../files/foo.pdf which wouldn't work as the docroot
> would prevent it.. but your PHP script can read from that dir and
> present the file to the user so that the URL would have to be
> yourdomain.com/dload.php?id=1 for example.. nothing else would work.
> You also have some control then as to whom has access too (could be
> limited to members only for example if that's how your site is run
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
> iQA/AwUBPy/WIWfqtj251CDhEQL+3ACgpMDn8HJzQDvpjclOPe5vmcejMfYAm gKO
> -----END PGP SIGNATURE-----