NYCPHP Meetup

[Brian Pang]

try using readdir() after making the same authentication checks

note: you would probably want to have the files and directory outside of
the httpd directories so that noone would be able to access them by
directly inputting the path and filename.

and, when returning the results of readdir(), exclude the parent dir
(..) so people won't have a way to work their way up the tree, etc...
(unless you want them to)



> I looked up fpassthru online and how to set the headers.  Your solution
> sounds fine for hopefully viewing a single file, but how about producing a
> list of files for display?
> 
> Thanx
> Phil
> 
> ----- Original Message ----- 
> From: "Brian Pang" <bpang at bpang.com>
> To: "NYPHP Talk" <talk at lists.nyphp.org>
> Sent: Monday, August 18, 2003 3:26 PM
> Subject: Re: [nycphp-talk] Single-Logon User Authentication,PHP and viewing
> non-ASCII
> 
> 
> > I use a function which invokes fpassthru
> >
> > first I check to make sure the user has the right priviledges, if so,
> > then pass the file thru...
> >
> > the link to the file might end up being something like
> >
> > fileGetter.php?filename=word.doc
> >
> > just remember to properly set the headers
> >
> >
> >
> >
> >
> > > This is a multi-part message in MIME format.
> > >
> > >
> > > This challenge is beyond me, as it seems to be the case.
> > >
> > > I am having to set up a user-authentication script that is basic
> > logon/registration process.  mySQL db captures username, password, and
> > other important fields such as their payment category and isAdmin (if
> > they are an admin on the site).  Once stored they will be able to login
> > once payment category is '4' (which means 'PAID').
> > >
> > > Upon being able to login, one of the features any user, admin or not,
> > can do is to view restricted files in the /web/contents folder.  They
> > can view the list or click onto a link and view the file itself
> > (assuming it's a url-friendly file like .txt or .doc or .pdf or
> something).
> > >
> > > Here's where I am totally stuck.
> > >
> > > The /web/contents folder must be locked down so that the outside world
> > cannot view it; only authenticated users must view it.  Problem is, by
> > doing that I force a double-login since that would involve using
> > .htaccess on the folder.  (Note, I was told mySQL has a means of
> > interfacing with .htacesss, however, that too would fail because the
> > requirements for login involve username, password, isAdmin and
> > payment_category all being set to certain values).
> > >
> > > I thought of locking down the folder to 700 and each script uploaded
> > to 600 (using TCL CGI instead of PHP to do the actual uploading),
> > however, how would I be able to allow for users to VIEW non-ASCII files
> > (like .doc or .pdf)?
> > >
> > > Has anyone faced anything like that, if so, please let me know.
> > >
> > > Thanx
> > > Phil
> > >
> >
> >
> >
> > _______________________________________________
> > talk mailing list
> > talk at lists.nyphp.org
> > http://lists.nyphp.org/mailman/listinfo/talk
> 
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
> 
>