Hiding a link to binary file for download

cliff at cliffmeyers.com cliff at cliffmeyers.com
Wed Aug 20 16:09:00 EDT 2003


Dave,


If the user bookmarks a page is typically reached via a form that utilizes the
POST method, they probably can't bookmark the URL to download the file.  However,
if you wanted to be especially sure they couldn't bookmark the page, try
something like this:

(1)  User logs in via authentication method
(2)  User fills out form
(3)  Form submits to a page that populates a session variable holding the desired
file name to be downloaded
(4)  PHP scripts forward to the download script, which reads that session
variable and then feeds the user the appropriate file as Mark described

By the way, be careful that you check the value of the variable that fopen is
using.  If someone was very clever, they could hack the form variable that's
passed to be something like this:

../../../../../../etc/passwd

and then begin downloading arbitray system files.  If you use the basename() PHP
function it will return just the file component of a directory path which is
usually a good first step to clean up that variable.


-Cliff



On Wed, 20 Aug 2003 15:24:06 -0400 (EDT), David Dudek wrote:

> 
> Okay, but then won't they just bookmark that link and get the file while
> bypassing the form?
> 
> -- 
> David Thomas Dudek     http://www.buffalo.edu/~dudek/
> 
> On Wed, 20 Aug 2003, Mark Musone wrote:
> 
> > Date: Wed, 20 Aug 2003 14:33:00 -0400
> > From: Mark Musone <mmusone at shatterit.com>
> > Reply-To: nflug at nflug.org
> > To: nflug at nflug.org
> > Subject: RE: Hiding a link to binary file for download
> >
> > Umm...well, it's really whatever page you want it to be..
> > Just put the php code in the page you want the person to think they are
> > downloading from..
> >
> >
> >
> > -----Original Message-----
> > From: owner-nflug at nflug.org [mailto:owner-nflug at nflug.org] On Behalf Of
> > David Dudek
> > Sent: Wednesday, August 20, 2003 1:33 PM
> > To: nflug at nflug.org
> > Subject: RE: Hiding a link to binary file for download
> >
> > Thanks!  Would this page be the same one that they arrive to AFTER they
> > fill out the form?
> >
> > --
> > David Thomas Dudek     http://www.buffalo.edu/~dudek/
> >
> > On Wed, 20 Aug 2003, Mark Musone wrote:
> >
> > > Date: Wed, 20 Aug 2003 12:57:10 -0400
> > > From: Mark Musone <mmusone at shatterit.com>
> > > Reply-To: nflug at nflug.org
> > > To: nflug at nflug.org
> > > Subject: RE: Hiding a link to binary file for download
> > >
> > > This is a fairly common use of php.
> > >
> > > What you'll want to do is use a combination of fopen(), to open the
> > > file,
> > > And then fpassthru(), which outputs the file to the users browser..
> > >
> > > The user thinks they are accessing http://www.domain.com/myscript.php
> > >
> > >
> > > But in myscript.php, it has
> > >
> > > <?php
> > >
> > > $fp=fopen("myfile");
> > > fpassthru($fp)
> > > ?>
> > >
> > >
> > > -----Original Message-----
> > > From: owner-nflug at nflug.org [mailto:owner-nflug at nflug.org] On Behalf
> > Of
> > > David Dudek
> > > Sent: Wednesday, August 20, 2003 11:13 AM
> > > To: nflug at nflug.org
> > > Subject: PHP: Hiding a link to binary file for download
> > >
> > > Here's a question for Mark or anyone else who cares to answer:
> > >
> > > I want to set up a webpage that will allow me to log who is
> > downloading
> > > certain binary files from a web site.  I intend to do this by having a
> > > page that a user has to authenticate to, in my case by DCE/Kerberos,
> > so
> > > that the $REMOTE_USER environment variable is assigned.  I know how to
> > > do
> > > that part.  I might have the user then fill out a form for some info.
> > > But then (here's the part I don't know about) I want to redirect the
> > > user
> > > to the URL for a binary file download, but I don't want the user to
> > see
> > > the direct URL.  In other words, I don't want users to be able to
> > bypass
> > > my form to download the file.
> > >
> > > Any ideas?
> > >
> > > --
> > > David Thomas Dudek     http://www.buffalo.edu/~dudek/
> > >
> > > ---
> > > Incoming mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.510 / Virus Database: 307 - Release Date: 8/14/2003
> > >
> > >
> > > ---
> > > Outgoing mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.510 / Virus Database: 307 - Release Date: 8/14/2003
> > >
> > >
> > >
> > >
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.510 / Virus Database: 307 - Release Date: 8/14/2003
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.510 / Virus Database: 307 - Release Date: 8/14/2003
> >
> >
> >
> >



More information about the nflug mailing list