Here’s what I’ve come up with.
I call the script like this:
/dl.php/audiofiles/goodstuff/great.mp3
// use PATH_INFO so filename looks real
$filename = $_SERVER['PATH_INFO'];
$realfile=realpath($_SERVER['DOCUMENT_ROOT'].$filename);
$subdir="audiofiles";
if (strpos($realfile,$_SERVER['DOCUMENT_ROOT']."/".$subdir)===FALSE)
die('bad filename'); //die, do not process
// send out file as content-disposition...
I’m not sure yet whether I even need to do the realpath check if I use the path_info but I put it in while I was still passing the filename as a GET variable.
Does anyone see any problems with this?
Thanks,