Re: hidden (phantom) file downloads

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 31531
interpreted = N
texte = good points you have there... but it doesn't have to be the actual name of the file itself that you use... one could use a database to reference the file names to the bogus URL, and as for including the file, if you have a .doc extension on the file, and you put comments in the webcat code like: [SHOWIF [URL][THISURL][/URL]^.doc][!] [/!][TEXT SHOW=F]ELEN=[COUNTWORDS Delimiters=+_/][THISURL][/COUNTWORDS][/TEXT]webcat shouldn't put anything at the beginning of the file, and if the web server itself is set up to serve .doc files as whatever their mime type is, it should serve them ok.and as for picking my methods apart, please continue to do so! I have a passion for learning, and I love discussing all things technical.Derek>1. Is this really secure? I mean, just knowing the file name and typing a >bogus url with the right file name will give you the file. Not that the >other methods discussed are truly secure, but if you copy files, then delete >them after a period of time, there's only a small window of opportunity for >unauthorized users to download the file. The error file method would seem >to allow download of any file whose name is known, at any time. >2. Your word file will have the extension and MIME type of your template, >right? So the browser would just display the contents of the word file >within the page, which would look very ugly. > >I don't mean to pick your method apart, but it seems more appropriate for >inclusion of text or html content that is not meant to be proprietary or >protected than it does as a means of protecting or hiding direct downloads. > >Am I wrong? Did I miss something? > >Mike > >> ok, so for this purpose, we are assuming that the file resides in >> my.server.com/docs/mydoc.doc >> >> ok, so first you would want to create a db or something to store the >> names of the word files. >> then you have a link pointing to my.server.com/[RANDOM]/mydoc.doc >> In you error.html file, insert the lines: >> > > [SHOWIF [URL][THISURL][/URL]^.doc] >> [TEXT SHOW=F]ELEN=[COUNTWORDS Delimiters= > > +_/][THISURL][/COUNTWORDS][/TEXT] >> [TEXT SHOW=F]DSSTRING=[LISTWORDS WORDS=[THISURL]&Delimiters= +_/][HIDEIF >> [INDEX]=[ELEN]][WORD][SHOWIF [INDEX]<[MATH][ELEN]-1[/MATH]] >> [/SHOWIF][/HIDEIF][/LISTWORDS][/TEXT] >> [SEARCH db=^db/docs.db&eqDOCdatarq=[DSSTRING]&MAX=1] >> [HIDEIF [NUMFOUND]=0] >> [include file=/docs/mydoc.doc] >> [/HIDEIF] >> [SHOWIF [NUMFOUND]=0] >> File Not found >> [/SHOWIF] >> [/SEARCH] >> >> [/SHOWIF] >> >> Something approximately like this should work. we use this techniue here >> often. >> >> >>>>>> I am trying to have a members only restricted area where paying >>>>>> subscribers can log in and download pdf or word files that they have >>>>>> paid for - but I do not want to reveal the true location of the file. >>>>>> Is anyone out there doing something like this? >>>>> >>>>> Welcome does this easily ... >>>> >>>> not on OS X/itools though - correct? >>> >>> Welcome is originally based (or inspired by) an Apache module called >>> mod_rewrite, so you can still do what you want :-) >>> >>> ************************************************************* >>> Christer Olsson Stora Nygatan 21 Phone +46 40 791 50 >>> Ljusa Idéer AB S-211 37 Malmoe Fax +46 40 97 99 77 >>> Sweden http://www.ljusaideer.se >>> > > >------------------------------------------------------------- >This message is sent to you because you are subscribed to > the mailing list . >To unsubscribe, E-mail to: >To switch to the DIGEST mode, E-mail to >-- Derek Chauran Web Developer, Dark Horse Comics derekc@darkhorse.com http://www.darkhorse.com------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

    
  1. Re: hidden (phantom) file downloads (Derek C. 2000)
  2. Re: hidden (phantom) file downloads (Mike Davis 2000)
  3. Re: hidden (phantom) file downloads (Derek C. 2000)
  4. Re: hidden (phantom) file downloads (Mike Davis 2000)
  5. Re: hidden (phantom) file downloads (Derek C. 2000)
  6. Re: hidden (phantom) file downloads (John Peacock 2000)
  7. Re: hidden (phantom) file downloads (Christer Olsson 2000)
  8. Re: hidden (phantom) file downloads (Michael O Shea 2000)
  9. Re: hidden (phantom) file downloads (Britt T. 2000)
  10. Re: hidden (phantom) file downloads (Kenneth Grome 2000)
  11. Re: hidden (phantom) file downloads (J Lane 2000)
  12. Re: hidden (phantom) file downloads (Kenneth Grome 2000)
  13. Re: hidden (phantom) file downloads (Britt T. 2000)
  14. Re: hidden (phantom) file downloads (Kenneth Grome 2000)
  15. hidden (phantom) file downloads (Britt T. 2000)
good points you have there... but it doesn't have to be the actual name of the file itself that you use... one could use a database to reference the file names to the bogus URL, and as for including the file, if you have a .doc extension on the file, and you put comments in the webcat code like: [SHOWIF [url][thisurl][/URL]^.doc][!] [/!][TEXT SHOW=F]ELEN=[COUNTWORDS Delimiters=+_/][thisurl][/COUNTWORDS][/TEXT]webcat shouldn't put anything at the beginning of the file, and if the web server itself is set up to serve .doc files as whatever their mime type is, it should serve them ok.and as for picking my methods apart, please continue to do so! I have a passion for learning, and I love discussing all things technical.Derek>1. Is this really secure? I mean, just knowing the file name and typing a >bogus url with the right file name will give you the file. Not that the >other methods discussed are truly secure, but if you copy files, then delete >them after a period of time, there's only a small window of opportunity for >unauthorized users to download the file. The error file method would seem >to allow download of any file whose name is known, at any time. >2. Your word file will have the extension and MIME type of your template, >right? So the browser would just display the contents of the word file >within the page, which would look very ugly. > >I don't mean to pick your method apart, but it seems more appropriate for >inclusion of text or html content that is not meant to be proprietary or >protected than it does as a means of protecting or hiding direct downloads. > >Am I wrong? Did I miss something? > >Mike > >> ok, so for this purpose, we are assuming that the file resides in >> my.server.com/docs/mydoc.doc >> >> ok, so first you would want to create a db or something to store the >> names of the word files. >> then you have a link pointing to my.server.com/[random]/mydoc.doc >> In you error.html file, insert the lines: >> > > [SHOWIF [url][thisurl][/URL]^.doc] >> [TEXT SHOW=F]ELEN=[COUNTWORDS Delimiters= > > +_/][thisurl][/COUNTWORDS][/TEXT] >> [TEXT SHOW=F]DSSTRING=[LISTWORDS WORDS=[thisurl]&Delimiters= +_/][HIDEIF >> [INDEX]=[ELEN]][WORD][SHOWIF [INDEX]<[math][ELEN]-1[/MATH]] >> [/SHOWIF][/HIDEIF][/LISTWORDS][/TEXT] >> [SEARCH db=^db/docs.db&eqDOCdatarq=[DSSTRING]&MAX=1] >> [HIDEIF [NUMFOUND]=0] >> [include file=/docs/mydoc.doc] >> [/HIDEIF] >> [SHOWIF [NUMFOUND]=0] >> File Not found >> [/SHOWIF] >> [/SEARCH] >> >> [/SHOWIF] >> >> Something approximately like this should work. we use this techniue here >> often. >> >> >>>>>> I am trying to have a members only restricted area where paying >>>>>> subscribers can log in and download pdf or word files that they have >>>>>> paid for - but I do not want to reveal the true location of the file. >>>>>> Is anyone out there doing something like this? >>>>> >>>>> Welcome does this easily ... >>>> >>>> not on OS X/itools though - correct? >>> >>> Welcome is originally based (or inspired by) an Apache module called >>> mod_rewrite, so you can still do what you want :-) >>> >>> ************************************************************* >>> Christer Olsson Stora Nygatan 21 Phone +46 40 791 50 >>> Ljusa Idéer AB S-211 37 Malmoe Fax +46 40 97 99 77 >>> Sweden http://www.ljusaideer.se >>> > > >------------------------------------------------------------- >This message is sent to you because you are subscribed to > the mailing list . >To unsubscribe, E-mail to: >To switch to the DIGEST mode, E-mail to >-- Derek Chauran Web Developer, Dark Horse Comics derekc@darkhorse.com http://www.darkhorse.com------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Derek C.

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Order not created error (1997) Problems passing [SKU] with $Replace in 2.0 (1997) Code database (1998) [WebDNA] Was: wiki Now: Object-oriented programmng (2009) Running 2 two WebCatalog.acgi's (1996) Pass Thru Page? (1998) Problem with [Search] inside of [Loop]? (1997) Part 2 - [showif] if variable exists (1998) search form problem.. (1997) webcat2b12 CGI -- Date comparisons (1997) More on the email templates (1997) [WebDNA] What does PHP(5) has, that Webdna hasn't (2009) can WC render sites out? (1997) syntax question, not in online refernce (1997) disappearing SKU (etc.) fields (1998) select multiple 2 more cents (1997) webcat error log (1998) Some Advise needed (1997) Fwd: Problems with Webcatalog Plug-in (1997) Show shoppingcart after remove last item (1997)