how do I link to a file which is outside of my webroot directory.....

[sambib]

I've built a content management system which has a file upload page (for a newsletter) and for security purposes I want to have that folder outside of my webroot, though I can't get the file to download. Here's the line in the current download page (this page sits at the webroot):

echo "<td>Issue No: <a href=\"../uploads/{$row['upload_id']}.pdf\" target=\"_blank\">{$row['file_name']}</a></td>\n";

I've seen that you can write a download.php page and have that file sent using the page headers but I was wondering if I could just amend this script.

can this be sorted with .htaccess, or is there some other way?

[jvalarta]

If you are concerned that people could just path to the file, i.e. domain.com/path/to/your/files/file.blah ... then you could just config apache to not allow this (dont allow files with certain extensions to be loaded. Then, you are secure, just use PHP to start the download -- and then you can auth the user to ensure they are legit to be downloading that file.

[sambib]

"then you could just config apache to not allow this (dont allow files with certain extensions to be loaded"


could you tell me where in the config this is....?

thanks!

[drkstr]

You can alias /uploads/ to the actual directory in the http.conf file. The location of this file could be different depending on you system. Mine is /etc/apache/http.conf

Then any time you link to /uploads/ it will go to the apropriate directory, but it will not be sirectly served by apache (browsable)

regards,
...drkstr

[jvalarta]

Adding this to your httpd.conf will prevent files with these extensions from being loaded directly:

<Files ~ ".pdf$">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>

'...drkstr' is also correct, that's a good way to go also.

[sambib]

thanks both of you...!

[Jenk]

better to keep them out of the docroot and use php to serve the file.. take a look at readfile()