Comments on: Loading files from the outside of htdocs / Forcing download http://www.betriebsraum.de/blog/2005/10/19/loading-files-from-the-outside-of-htdocs-and-forcing-download/ Rich Internet Applications, Software Development, Human-Computer Interaction Tue, 15 Nov 2011 08:03:44 +0000 hourly 1 http://wordpress.org/?v=3.3 By: christoph http://www.betriebsraum.de/blog/2005/10/19/loading-files-from-the-outside-of-htdocs-and-forcing-download/comment-page-1/#comment-20 christoph Wed, 19 Oct 2005 13:40:37 +0000 http://www.betriebsraum.de/blog/2005/10/19/loading-files-from-the-outside-of-htdocs-and-forcing-download/#comment-20 You are right but this was just a simple example. In an application where files must be protected, you would have to check the permisson first. A more "polished" version can be found at <a href="http://www.zend.com/zend/trick/tricks-august-2001.php">Zend.com</a>. You are right but this was just a simple example. In an application where files must be protected, you would have to check the permisson first.
A more “polished” version can be found at Zend.com.

]]> By: Pedro http://www.betriebsraum.de/blog/2005/10/19/loading-files-from-the-outside-of-htdocs-and-forcing-download/comment-page-1/#comment-19 Pedro Wed, 19 Oct 2005 12:46:24 +0000 http://www.betriebsraum.de/blog/2005/10/19/loading-files-from-the-outside-of-htdocs-and-forcing-download/#comment-19 <em>for example if you don’t want unauthorized users to download your files by entering the url into the browser directly</em> Of course, it should be made clear that users could still acess the file using the "readFile.php?filename=myFile.swf" URL. Also note the path to the file shouldn't be input from the URL, just a reference to which one is taken -- otherwise you're opening yourself up for a vast array of attacks involving unauthorized access to files in your web server. The technique is still valid, just needs a bit polish, IMHO. Cheers! for example if you don’t want unauthorized users to download your files by entering the url into the browser directly

Of course, it should be made clear that users could still acess the file using the “readFile.php?filename=myFile.swf” URL. Also note the path to the file shouldn’t be input from the URL, just a reference to which one is taken — otherwise you’re opening yourself up for a vast array of attacks involving unauthorized access to files in your web server.

The technique is still valid, just needs a bit polish, IMHO.

Cheers!

]]>