DjMikeWatt

Add a salt? I'm not sure what that means... (also could be because of my current state of... being at the moment. :-P

I learned a lot by buying a few site templates that I really liked from sites like templatemonster.com and 4templates.com... then I built those out, customizing everything along the way. I learn best by seeing how it's done, then figuring out *why* it works... if this style of learning works for you, then you might benefit from "reverse engineering" a few of these templates, too... most make heavy use of css and are well organized.

I think I may have a fairly simple solution to this. I'll use MD5 to encrypt the file name, much like I do with passwords. Have the page call the DB value, which will always be the long, 32 character encrypted string. So, even IF people go in to view source and try to see what's back there, they'll only have the path and some long random file name that wouldn't help in deducing what other files' names might be. I like it - feels very simple. I'm gonna give it a shot, but in the meantime, anyone think of any reason why this isn't go to work as expected? (This thread should probably be moved to server side/php now... ?)

Yeah, I'm actually really surprised that Apache doesn't have a simple solution for this, it seems like a very reasonable and common thing to want to do... "if a request for files in [media_directory], deny access unless request originates from [my_page.php]. I'm not trying to keep out hackers and professionals, just the average people who would be on the site...

This sounds like it makes sense... now I just have to make sure I'm following. My hosting account is on a shared server. My hosting accounts root lives at "http://wattproductions.com" - On the actual server, that "root" is actually at /home/content/d/j/m/[username]/html/ Now, I don't have access to anything above the "wattproductions.com" level - everything above "html" is out of range for me. This site I'm working on, however, uses domain aliasing - so it lives at "radioimaging101.com", which is in reality, at: wattproductions.com/sites/imaging101/ Can I use the same principle to place them simply above the /imaging101 directory, which is the http_root of this site?

I'm trying to follow you here... not quite there yet. I do use php, in fact, the files are called by php as it is now. The files are changed every month, they are stored in year and month specific directories, and the file names have the month, year, and indicator (v1, I2, I3, S4 - there are a total of 13 files each month) As it is right now, the video files are called by: /video/<?php echo date(Y).'/'.date(F).'/'.date(Y).'_'.date(F).'_v'.$v.'.flv';?> which renders as /video/2009/August/2009_August_v1.flv for example... where $v is determined by $_GET in the referring link. Audio files are very similar, but doesn't use the variable at the end, instead, each link using the above and inserting it's own indicator at the end, like: /audio/<?php echo date('Y').'/'.date('F').'/'.date('Y').'_'.date('F').'_I1.mp3';?> which renders as /audio/2009/August/2009_August_I1.mp3 for example... where "I1" is changed in each link (I2, I3, S1, S2, etc.) Now, having said all that, this naming convention is not set in stone - meaning, it's not too late for me to reconfigure the whole thing. But what I'm not following in your post, is this... even using a $_GET param to call the file, wouldn't the file path still be visible on the output.php page? I mean, if you loaded that page then clicked "view source" wouldn't you see the full path in there somewhere? If not, how would the page know what file to display without a path (even a dynamically generated one) somewhere in the code?

So why are you sending people to /filmo.php instead of just sending them to http://phyllisquek.com? I know that doesn't answer your question, I'm just curious.

Hi there... Having a hard time finding the best answer to this. I'm working on a site that allows access to media files (mp3|flv) through the site. The site is a subscription service and uses php sessions to authenticate users. All pages that contain media files are protected and require authentication for access. The problem is, if you subscribe for just a short time you would be able to figure out our naming conventions and paths to media (follow date structured directories). How can I prevent the file from being served outside of a particular page asking for it? Even more so, I need the paid users to be able to right-click save-as from that page, but still block access to anyone else trying to access it. I've looked into mod_rewrites and from what I understand that would only be effective against hot-linkers, but wouldn't do anything to stop someone from just typing into their browser: http://mysite.com/media/2009/August/media_file.flv I know there must be a way to do this, but I just don't know where to begin. Any help is much appreciated.

Sorry for the wasted post... I just saw my typo... no dot before the second "date(Y)". Solved!

I have: embed src="video/<?php echo (date(Y).'/'.date(F).'/'date(Y).'_'.date(F).'_'.$row_rs_video['account_id'].'_v'.$v.'.mov') ;?>" Where, $v is set earlier in the page and is either '1' or '2'. The $row_rs_video['account_id'] contains a numeric id from the DB. What I'm hoping to get is something like this: embed src="video/2009/August/2009_August_8_v2.mov The reason I'm posting is because I'm getting an "unexpected T_STRING" error on this line of code returned from the server when I run the page...

I'm new at all this, so this question is more for my own benefit than anything else... What's wrong with the HTML attribute "disabled"? Isn't that what it's for?

Well, I found this code somewhere else - it works, but I'm not really sure what I'm seeing, you know? I'm not content with it working, I want to know why it's working. date("F", strtotime("+1 month", time())) As far as example 3 on the php.net site, my questions are: What are the parameters in mktime()? Do the date(d) and date(Y) sections need to be there in a case where I'm only looking for the month (in date(F) format)?

So, if date(F) displays "August", how would I get it to display "September"? I've looked up date function and mktime function and I'm not quite following.

THAT DID IT!! So, for anyone struggling with having a user form submit and insert a record, here's a way to do it... I have no idea if it's the *best* way, or the *right* way, but it is definitely *a* way!

Okay, so I'm ALMOST there... could really use a hand with this last bit, though. I've gotten it to insert the record and upload the file. I'm using a hidden form on the upload script that inserts the record based on the fields submitted on the upload hmtl form and submitting that form when the upload script loads using js. <body onLoad="document.insert.submit()"> <?php $target = "audio/".$_POST['year']."/".$_POST['month']."/"; $target = $target . basename( $_FILES['piece_1']['name']) ; $ok=1; if(move_uploaded_file($_FILES['piece_1']['tmp_name'], $target)) { echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; } else { echo "Sorry, there was a problem uploading your file."; } ?> </p> <form id="insert" name="insert" method="POST" action="<?php echo $editFormAction; ?>"> <input name="account_id" type="hidden" id="account_id" value="<?php echo $_POST['account_id'] ; ?>" /> <input name="year" type="hidden" id="year" value="<?php echo $_POST['year'] ; ?>" /> <input name="month" type="hidden" id="month" value="<?php echo $_POST['month'] ; ?>" /> <input name="txt_piece_1" type="hidden" id="txt_piece_1" value="<?php echo $_POST['txt_piece_1'] ; ?>" /> <input name="piece_1" type="hidden" id="piece_1" value="<?php echo $_POST['piece_1'] ; ?>" /> <br /> <input type="hidden" name="MM_insert" value="form1" /> </form> My ONLY remaining problem is that one of the fields in db is supposed to be the name of the file. If the user uploads "sample1.mp3", then I want the field "piece_1" to have the varchar value of "sample1.mp3". It appears that file fields do not pass this info along in the standard way (I can't just call it like I would a normal form field - returns null). Can I use php to call that value? Like maybe something like: <?php echo $_FILES['piece_1']['name']; ?> (I'm sorry if this is obvious - Like I'm answering my own questions... It helps me a lot to work things out on boards like this - and, my hope is, that "showing my work" will help others who visit the board later looking for answers like this!)

You see, the code on my upload script looks like this (and works just fine): <?php $target = "audio/".$_POST['year']."/".$_POST['month']."/"; $target = $target . basename( $_FILES['piece_1']['name']) ; $ok=1; if(move_uploaded_file($_FILES['piece_1']['tmp_name'], $target)) { echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; } else { echo "Sorry, there was a problem uploading your file."; } ?> The problem is that I don't know how to add an INSERT behavior to the submitting page, because when I do, the upload no longer functions. It inserts the record, but the file no longer makes it to its destination... seems to be a "one or the other" situation - I know there's a way to do this. I just can't get it.

Thanks for the reply. In this case, the files would never be deleted - they'll be left on the server indefinitely as part of an archive. And as far as the file name, it's not necessary for me to rename it. The reason being that the file is uploaded, and the file's name is inserted into a column in the DB... the php script that displays the file on the page uses that DB to recall the file. So, for example, these are all MP3s I'm talking about. I have a column called "piece_1" and that value may be "sample_1.mp3" or "wehfweoih.mp3." When the page goes to display that file, it's displaying $row_selected['piece_1'], so the file's name is irrelevant. I think that all makes sense, anyway. :-)

Hi everyone... I've recently just started working with php file upload scripts... I have a simple one working, but now I need to do something a little more complicated and I'm hoping to get some help... Example code is very useful to me - I learn best by seeing it, and then sort of reverse engineering the code. Here's the situation: An upload form that allows the user to choose a year from a menu, a month from another menu, enter a short description in a text field, then choose a file from the file upload field. Now, the point is that the script uploads the file to a directory based on the year and month chosen in the field (i.e. "/audio/2009/August/". I also need the description and file name (as uploaded) entered into a MySQL DB (so that the file can be located later using a DB query.) So, is this going to be as complicated as it seems? Help is appreciated. +mf

Can I use this to accomplish assigning a value to u.id? $uid = $_row_rs_user['id']; SELECT * FROM downloads d INNER JOIN users u ON d.account_id=u.id WHERE d.year = '$year' AND d.month = '$month' AND u.id = '$uid' Would this work as long as the recordset "rs_user" is first on the page (above this new query)?

Well the trouble with joins is that I never learned how to do them properly and with my half-assed guesswork sometimes I'm lucky and sometimes I'm not. The scenario: Table 1: "users" -- columns: id, name, phone, etc... Table 2: "downloads" -- columns: account_id, year, month, link, etc. I am trying to do a query that checks the year and month columns of table 2 against variables (successfully done this), and then also check the "account_id" of any matching records against the "id" in the users table; returning only those results that satisfy all three. I tried this: mysql_select_db($database_imaging101, $imaging101); $query_rs_downloads = "SELECT * FROM downloads, users WHERE `year` = '$year' AND `month` = '$month' AND downloads.account_id = users.id"; $rs_downloads = mysql_query($query_rs_downloads, $imaging101) or die(mysql_error()); $row_rs_downloads = mysql_fetch_assoc($rs_downloads); $totalRows_rs_downloads = mysql_num_rows($rs_downloads); And while it seems to get the month and year part right, it also returned an item with "account_id" of "1" when I was logged in with an account that has "users.id" of "2"... Suggestions?

That's a fine question! I don't really have an answer. I suppose it's because I don't know what would be a better way. That's not to say that there ISN'T a better way, I'm just self-taught and only know so much. What would you suggest as a better way? I know the date function is extremely flexible, but I've always had a tough time with it...

ADDITION: I think I may have fixed the problem by adding single quotes around the $month/$year variables in Where clause... could that have been the issue?

I have a table in a DB which has "year" and "month" among it's columns. These are indicators of when the item (record) was created and are set manually (varchar). I want to query the DB and return only those results from the current month/year. So, right now, for example, only those records that have "2009" in "year" and "July" in "month." Right now I have: $year = date('Y'); $month = date('F'); -------------------------------------------------------- mysql_select_db($database_imaging101, $imaging101); $query_rs_downloads = "SELECT * FROM downloads, users WHERE `year` = $year AND `month` = $month AND `account_id` = users.id"; $rs_downloads = mysql_query($query_rs_downloads, $imaging101) or die(mysql_error()); $row_rs_downloads = mysql_fetch_assoc($rs_downloads); $totalRows_rs_downloads = mysql_num_rows($rs_downloads); When I test the page, the browser says "Unknown column 'July' in Where clause" I've looked to see where I may have set the wrong variable in the Where clause, but I don't see where I've indicated $month as a column... what am I missing? Any help is, as always, greatly appreciated!

COREYE, THORPE, and NIGHTSLYR, Thank you... all very useful and constructive info... This is by far one of the best PHP boards to ask questions in... thank you for the help.

That worked perfectly... so besides cleaning it up a little, the main thing you did was "==" instead of "=". Is that determining factor here? How do I know when to use "==" and when to use "="? Thank you, by the way.