Jump to content


Photo

how do I link to a file which is outside of my webroot directory.....


  • Please log in to reply
6 replies to this topic

#1 sambib

sambib
  • Members
  • PipPipPip
  • Advanced Member
  • 35 posts

Posted 25 August 2006 - 02:10 AM

I've built a content management system which has a file upload page (for a newsletter) and for security purposes I want to have that folder outside of my webroot, though I can't get the file to download. Here's the line in the current download page (this page sits at the webroot):

echo "<td>Issue No: <a href=\"../uploads/{$row['upload_id']}.pdf\" target=\"_blank\">{$row['file_name']}</a></td>\n";

I've seen that you can write a download.php page and have that file sent using the page headers but I was wondering if I could just amend this script.

can this be sorted with .htaccess, or is there some other way?

#2 jvalarta

jvalarta
  • Members
  • PipPipPip
  • Advanced Member
  • 42 posts

Posted 25 August 2006 - 02:49 AM

If you are concerned that people could just path to the file, i.e. domain.com/path/to/your/files/file.blah ... then you could just config apache to not allow this (dont allow files with certain extensions to be loaded. Then, you are secure, just use PHP to start the download -- and then you can auth the user to ensure they are legit to be downloading that file.

#3 sambib

sambib
  • Members
  • PipPipPip
  • Advanced Member
  • 35 posts

Posted 25 August 2006 - 03:06 AM

"then you could just config apache to not allow this (dont allow files with certain extensions to be loaded"


could you tell me where in the config this is....?

thanks!

#4 drkstr

drkstr
  • Members
  • PipPipPip
  • Advanced Member
  • 66 posts
  • LocationSeattle, WA - USA

Posted 25 August 2006 - 03:13 AM

You can alias /uploads/ to the actual directory in the http.conf file. The location of this file could be different depending on you system. Mine is /etc/apache/http.conf

Then any time you link to /uploads/ it will go to the apropriate directory, but it will not be sirectly served by apache (browsable)

regards,
...drkstr

#5 jvalarta

jvalarta
  • Members
  • PipPipPip
  • Advanced Member
  • 42 posts

Posted 25 August 2006 - 03:52 AM

Adding this to your httpd.conf will prevent files with these extensions from being loaded directly:

<Files ~ ".pdf$">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>

'...drkstr' is also correct, that's a good way to go also.

#6 sambib

sambib
  • Members
  • PipPipPip
  • Advanced Member
  • 35 posts

Posted 25 August 2006 - 04:06 AM

thanks both of you...!

#7 Jenk

Jenk
  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 25 August 2006 - 01:43 PM

better to keep them out of the docroot and use php to serve the file.. take a look at readfile()




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users