Allow users to download files outside webroot

Question

Hello I am using PHP to allow users to upload files and I have them sitting in a folder outside webroot (/var/www) folder for security reasons. It is in the folder /var/uplo

Answer 1

A nice way to take a load of PHP is with mod_xsendfile if you can install it, all the PHP process has to do is send a reply header & exit, and the webserver will take care of the rest.

Answer 2

Use

• a symlink pointing to /var/uploads (tutorial here)

• a Apache Alias directive Alias /uploads /var/uploads (must be in httpd.conf)

• or a proxy PHP script that accepts a GET variable filename=upload.jpg and fetches the file e.g. using fpassthru()

the latter is the least preferable option because it is resource intensive, but sometimes it's the only alternative. It also needs proper securing to prevent an attacker from getting other files on your server through the proxy.

Answer 3

You can, just have a php file that echos the contents the file to the response, and set the mime-type appropriately.