0

I am creating a PHP access handler file which will server images and videos to users based on if they have authorisation.

I need to block direct access to the files to ensure that the user auth cannot be bypassed, what's the most efficient way to serve images and video without chewing up too much memory?

I tried using X-SendFile below but this only allows you to download files and not display them, I was hoping it would be possible to automatically get the file headers (they will more then likely be .mp4 videos and .jpgs).

<?PHP
$file = $_GET['f'];
$filepath = $_GET['fp'];
//if auth success (security will be put in here)
if(TRUE == TRUE){
    header("Content-type: application/octet-stream");
    header('Content-Disposition: attachment;filename='.$file);
    header('X-Sendfile: '.$filepath);
}else{ echo "Unauthorized access"; exit(); }
?>

**UPDATE**

Trying to get it working but getting errors.

//Get media file content type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
//Display correct headers for media file
header("Content-type:   ".finfo_file($finfo, $filepath));
//echo "here".finfo_file($finfo, $filepath); 
finfo_close($finfo);
header('Content-length: '.filesize($filepath));
header('Content-Disposition: inline; filename="'.$file.'"');
header('X-Sendfile: ' . $filepath );
John J
  • 195
  • 1
  • 1
  • 11

1 Answers1

1

UPDATE

Regarding the Content-Disposition header.

If this header is used in a response with the application/octet- stream content-type, the implied suggestion is that the user agent should not display the response, but directly enter a `save response as...' dialog.
-- http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1

Use your web server's sendfile capabilties.

With Apache, you can send the X-Sendfile header to instruct it to just deliver the file:

header("X-Sendfile: $filepath");

Also, see Using X-Sendfile with Apache/PHP and http://www.yiiframework.com/wiki/129/x-sendfile-serve-large-static-files-efficiently-from-web-applications/

Community
  • 1
  • 1
glasz
  • 2,526
  • 25
  • 24
  • Trouble is x-sendfile serves the file as a download and will not display the file, any other suggestions? – John J Apr 07 '14 at 11:14
  • how about `Content-Disposition: inline`? – glasz Apr 07 '14 at 11:21
  • 1
    content disposition heavily depends on what your browser supports. disable sendfile to verify your browser (or a plugin) can actually display what you're sending it. – glasz Apr 07 '14 at 11:26
  • it would need to be a type which can always be accepted in browsers, I can set the headers manually its not the end of the world. but displayin image/videos using php is a memory killer :( – John J Apr 07 '14 at 11:33
  • 1
    @JohnJ you could use [`finfo_file`](http://www.php.net/manual/function.finfo-file.php) to set the correct mime-type. – Yoshi Apr 07 '14 at 11:35
  • Good shout thanks for that, that certainly saves having a switch in place. what about the least intensive way to output a file? – John J Apr 07 '14 at 12:42
  • 1
    @JohnJ I think you're already on the right track. Just use `Content-Disposition: inline` with the correct mime-type and x-sendfile. Everything else is the browser. – Yoshi Apr 07 '14 at 12:51
  • your revised code looks fine. are you sure your browser is able to inline-display the file type you're serving? have you tried without `sendfile`, just for testing? does finfo detect the corrrect mime type? did you match your expectations with what `curl -XHEAD` throws at you? – glasz Apr 07 '14 at 22:09