Jump to content

Archived

This topic is now archived and is closed to further replies.

sambib

how do I link to a file which is outside of my webroot directory.....

Recommended Posts

I've built a content management system which has a file upload page (for a newsletter) and for security purposes I want to have that folder outside of my webroot, though I can't get the file to download. Here's the line in the current download page (this page sits at the webroot):

echo "<td>Issue No: <a href=\"../uploads/{$row['upload_id']}.pdf\" target=\"_blank\">{$row['file_name']}</a></td>\n";

I've seen that you can write a download.php page and have that file sent using the page headers but I was wondering if I could just amend this script.

can this be sorted with .htaccess, or is there some other way?

Share this post


Link to post
Share on other sites
If you are concerned that people could just path to the file, i.e. domain.com/path/to/your/files/file.blah ... then you could just config apache to not allow this (dont allow files with certain extensions to be loaded. Then, you are secure, just use PHP to start the download -- and then you can auth the user to ensure they are legit to be downloading that file.

Share this post


Link to post
Share on other sites
"then you could just config apache to not allow this (dont allow files with certain extensions to be loaded"


could you tell me where in the config this is....?

thanks!

Share this post


Link to post
Share on other sites
You can alias /uploads/ to the actual directory in the http.conf file. The location of this file could be different depending on you system. Mine is /etc/apache/http.conf

Then any time you link to /uploads/ it will go to the apropriate directory, but it will not be sirectly served by apache (browsable)

regards,
...drkstr

Share this post


Link to post
Share on other sites
Adding this to your httpd.conf will prevent files with these extensions from being loaded directly:

<Files ~ ".pdf$">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>

'...drkstr' is also correct, that's a good way to go also.

Share this post


Link to post
Share on other sites
better to keep them out of the docroot and use php to serve the file.. take a look at readfile()

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.