Board index   FAQ   Search  
Register  Login
Board index PHP PHP General

include?

General discussions related to php

Moderators: macek, egami, gesf

include?

Postby Sleeping_Sloth » Fri Mar 14, 2003 8:49 am

Hello everyone...

I've been developing a simple SQL database accessed using PHP. My problem is that I need to prevent users accessing particular files (.htm and .swf) directly using a browser. To this end, I have used an INCLUDE command to call the relevant file(s) from inside the PHP. However, no matter what way I try to set-up the access permissions on the directories involved, I am left with either a totally non-secure directory, or one that I can neither view by browser or via PHP. Can anyone offer any help on this subject? I'm tearing my hair out!
Thanks all,
Sleeping_Sloth
Sleeping_Sloth
New php-forum User
New php-forum User
 
Posts: 9
Joined: Wed Jan 08, 2003 2:43 pm

Postby Xerpher » Fri Mar 14, 2003 12:30 pm

You could move all your private files outside your public http directory and make a standalone script that you can use to access them via header() and readfile() but also have an if statement in it like
if ($access_allowed){ /* headers and readfile goes here */ }
and define $access_allowed as true in the script your calling from that way people can't access it alone, but your script can.
Xerpher
New php-forum User
New php-forum User
 
Posts: 164
Joined: Tue Aug 27, 2002 8:25 pm
Location: Ontario, Canada

Postby Sleeping_Sloth » Sun Mar 16, 2003 4:50 pm

could you be a bit more specific about what the standalone would need to include please? I'm a bit new to unix scripting...
Thanks
Sleeping_sloth
Sleeping_Sloth
New php-forum User
New php-forum User
 
Posts: 9
Joined: Wed Jan 08, 2003 2:43 pm

Postby Xerpher » Sun Mar 16, 2003 6:11 pm

OK, here goes :), first thing you do is move those files to a new directory outside the public directory of your server so that nobody can access them. Next you make a php script that is done like this...
Code: Select all
<?php
if (@$fileaccess){
   $secure_dir = '/path/to/new/directory/';
   header("Content-type: application/octet-stream");
   header("Content-length: ".filesize(stripslashes($secure_dir.$_GET['filename'])));
   readfile(stripslashes($secure_dir.$_GET['filename']));
} else echo('Access Denied');
?>

Now anytime you want your content, define $fileaccess = true; in your other scripts and make sure you fix $secure_dir to where your putting all the files. If you wanted intro.swf, you would put " file.php?filename=intro.swf " (without the quotes :P) as the url to the file. (This example only works if the above code is in a file named 'file.php').
Xerpher
New php-forum User
New php-forum User
 
Posts: 164
Joined: Tue Aug 27, 2002 8:25 pm
Location: Ontario, Canada

Postby Sleeping_Sloth » Mon Mar 17, 2003 6:22 am

Thanks very much....

I've set that up now, but because the .swf is embedded in html, the .swf won't load.

Do you have any suggestions about getting the embedded .swf working?

Thanks again,
Sleeping_Sloth
Sleeping_Sloth
New php-forum User
New php-forum User
 
Posts: 9
Joined: Wed Jan 08, 2003 2:43 pm

Postby Xerpher » Mon Mar 17, 2003 3:14 pm

I don't know much at all about flash so I don't even know what you mean about it being embedded... :oops:
Xerpher
New php-forum User
New php-forum User
 
Posts: 164
Joined: Tue Aug 27, 2002 8:25 pm
Location: Ontario, Canada

Postby Sleeping_Sloth » Tue Mar 18, 2003 8:32 am

Thanks for your continued support Xerpher... :D

The embedded .swf file needs to be called as a .html object, and can't be opened as it is - a fileopen on a .swf without the relevant object bits just gives a big mess of hext or something.

I had already considered putting the .swfs in the database, but this can't be done because the .swf is referenced twice in the html object tag- once to identify the file, and a second time to insert the contents.

I'm just about at my wits end about this! - there must be some way of doing what I want, but I don't know what it is!

Any suggestion will be much appreciated!

Thanks,
Sloth out
Sleeping_Sloth
New php-forum User
New php-forum User
 
Posts: 9
Joined: Wed Jan 08, 2003 2:43 pm

Postby Xerpher » Tue Mar 18, 2003 1:11 pm

If I understand you correctly, you just put "file.php?filename=intro.swf" where you would put the link to the swf file in the html code... this php script does NOT force a download.
Xerpher
New php-forum User
New php-forum User
 
Posts: 164
Joined: Tue Aug 27, 2002 8:25 pm
Location: Ontario, Canada

Postby Sleeping_Sloth » Tue Mar 18, 2003 4:31 pm

Okay, I just have one question then...

how do I set $file_access so that the file.php script will accept it- wouldn't that value have to be passed to file.php?

Thanks again,
Sloth out
Sleeping_Sloth
New php-forum User
New php-forum User
 
Posts: 9
Joined: Wed Jan 08, 2003 2:43 pm

Postby Xerpher » Tue Mar 18, 2003 5:03 pm

Oh yea, forgot about the security statement... best way to do that is to set a session variable in your site or.... hm, in this case you would have to make an elaborate session & $_SERVER vars authetication system, or something along those lines, which is more work then I have time for right now, so basically, I can only suggest this which is basically a forced security hole for swf files:

Code: Select all
<?php

if (@$fileaccess || substr($_GET['filename'], -3) == 'swf'){
   $secure_dir = '/path/to/new/directory/';
   header("Content-type: application/octet-stream");
   header("Content-length: ".filesize(stripslashes($secure_dir.$_GET['filename'])));
   readfile(stripslashes($secure_dir.$_GET['filename']));
} else echo('Access Denied');
?>
Xerpher
New php-forum User
New php-forum User
 
Posts: 164
Joined: Tue Aug 27, 2002 8:25 pm
Location: Ontario, Canada


Return to PHP General

Who is online

Users browsing this forum: No registered users and 2 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.