File download security?

[Maize]

I'm assuming that providing a public link to a pdf file on our server, for example, example.com/files/etc/downloadme.pdf, isn't exactly secure. Am I right?

Is the best way to implement this is to pass in some parameters that the server will analyze, get the pdf file, and return a stream? I've been searching for some tutorials but can't seem to find any.

Thanks.

[felgall]

If you want to limit access then put the pdfs above your public_html and access them via a script. You can add whatever validation in front of the following (which assumes that the name of the PDF file is in $pdf

Code:

ini_set('zlib.output_compression','Off');
header("Pragma: public");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: must-revalidate");
header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename="'.$pdf.'"');
header('Content-Length: ' . filesize("../$pdf"));
readfile("../$pdf");

replace attachment with inline if you want the PDF to display in the page instead of being downloaded outside the browser.

[djm0219]

Quote:

Originally Posted by Maize

I'm assuming that providing a public link to a pdf file on our server, for example, example.com/files/etc/downloadme.pdf, isn't exactly secure. Am I right?

Not at all. What leads you to believe it might not be secure? You would not be storing it in the directory you used in your example but if it's for public consumption, putting in a directory your web server can "see" and providing a link to it is just fine.