File security

[slpctrl]

Not sure if this is the right place for this question or not, but I'm pretty sure it can be answered with PHP so meh...

 

Alright, I've got a store now that sells an e-book, and I've set up my paypal button so that when you buy the e-book it redirects back to the files of the e-book. However, the files aren't secure and if one were to simply navigate to the page, they could just download it. I would like to secure these files so that one can't just navigate to the page and download them if at all possible, or at least make it difficult to find them.

[.josh]

Well for starters, if you store them in a directory outside public_html and make them readable only by the server and have your script read the file contents and display it, people can't just plug in a url and get it.  On top of that, you can force the user to login to access it.  After that, there's no way you can simultaneously allow people to read it and yet keep them from copying it.  You could have a lawyer write a ToS and/or contract and go after them legally, but even then you'd have to prove it was them and not some other customer...very difficult, if not impossible to do.

[slpctrl]

Well for starters, if you store them in a directory outside public_html and make them readable only by the server and have your script read the file contents and display it, people can't just plug in a url and get it.  On top of that, you can force the user to login to access it.  After that, there's no way you can simultaneously allow people to read it and yet keep them from copying it.  You could have a lawyer write a ToS and/or contract and go after them legally, but even then you'd have to prove it was them and not some other customer...very difficult, if not impossible to do.

 

I have no CMS on the site or any architecture of code holding it up; it's a basic HTML site that sells an E-Book and that's it. There's nothing really outside of that, so I have no users and I don't really have the time to write up a CMS. I was thinking about doing something with .htaccess but then everyone would need a username and pass. I was also thinking about doing something with the refferer, but I donno. Force the refferer in as from paypal just to add a touch to the security but I donno how effective that'd be since a refferer can be spoofed.

[.josh]

You don't need an entire CMS to do that.  Simply go to your server's directory/file browser (through cpanel or command line or however you do it), move your ebook files to a different directory, and change the chmod (the file's read/write/execute permissions) to only allow your server to access it.  Change the target on your webpage to point to the new place.  The end.

 

As far as forcing user to login, there are a ton of tutorials out there for that.  It's pretty basic,easy to setup stuff.

[slpctrl]

You don't need an entire CMS to do that.  Simply go to your server's directory/file browser (through cpanel or command line or however you do it), move your ebook files to a different directory, and change the chmod (the file's read/write/execute permissions) to only allow your server to access it.  Change the target on your webpage to point to the new place.  The end.

 

As far as forcing user to login, there are a ton of tutorials out there for that.  It's pretty basic,easy to setup stuff.

 

I simply don't want there to be users on the site. I don't want any form of registration. But, so what you're saying is this:

 

Move the files out of public_html

chmod it to be able to have only the server access it

Change the target redirection to a PHP file that will open up the file and download it

 

Now, could I just include the .rar files? Would that basically download the files? Thanks for your help, I know I sound like a complete noob but I'm not I know a decent amount of PHP I'm just rusty, haven't been on a computer in some time so I'm just brushing back up.

[redarrow]

<?php

###############################################################
# 
###############################################################
# Visit http://www.zubrag.com/scripts/ for updates
###############################################################
# Sample call:
#    download.php?f=phptutorial.zip
#
# Sample call (browser will try to save with new file name):
#    download.php?f=phptutorial.zip&fc=php123tutorial.zip
###############################################################

// Allow direct file download (hotlinking)?
// Empty - allow hotlinking
// If set to nonempty value (Example: example.com) will only allow downloads when referrer contains this text
define('ALLOWED_REFERRER', '');

// Download folder, i.e. folder where you keep all files for download.
// MUST end with slash (i.e. "/" )
define('BASE_DIR','/home/user/downloads/');

// log downloads?  true/false
define('LOG_DOWNLOADS',true);

// log file name
define('LOG_FILE','downloads.log');

// Allowed extensions list in format 'extension' => 'mime type'
// If myme type is set to empty string then script will try to detect mime type 
// itself, which would only work if you have Mimetype or Fileinfo extensions
// installed on server.
$allowed_ext = array (

  // archives
  'zip' => 'application/zip',

  // documents
  'pdf' => 'application/pdf',
  'doc' => 'application/msword',
  'xls' => 'application/vnd.ms-excel',
  'ppt' => 'application/vnd.ms-powerpoint',
  
  // executables
  'exe' => 'application/octet-stream',

  // images
  'gif' => 'image/gif',
  'png' => 'image/png',
  'jpg' => 'image/jpeg',
  'jpeg' => 'image/jpeg',

  // audio
  'mp3' => 'audio/mpeg',
  'wav' => 'audio/x-wav',

  // video
  'mpeg' => 'video/mpeg',
  'mpg' => 'video/mpeg',
  'mpe' => 'video/mpeg',
  'mov' => 'video/quicktime',
  'avi' => 'video/x-msvideo'
);



####################################################################
###  DO NOT CHANGE BELOW
####################################################################

// If hotlinking not allowed then make hackers think there are some server problems
if (ALLOWED_REFERRER !== ''
&& (!isset($_SERVER['HTTP_REFERER']) || strpos(strtoupper($_SERVER['HTTP_REFERER']),strtoupper(ALLOWED_REFERRER)) === false)
) {
  die("Internal server error. Please contact system administrator.");
}

// Make sure program execution doesn't time out
// Set maximum script execution time in seconds (0 means no limit)
set_time_limit(0);

if (!isset($_GET['f']) || empty($_GET['f'])) {
  die("Please specify file name for download.");
}

// Get real file name.
// Remove any path info to avoid hacking by adding relative path, etc.
$fname = basename($_GET['f']);

// Check if the file exists
// Check in subfolders too
function find_file ($dirname, $fname, &$file_path) {

  $dir = opendir($dirname);

  while ($file = readdir($dir)) {
    if (empty($file_path) && $file != '.' && $file != '..') {
      if (is_dir($dirname.'/'.$file)) {
        find_file($dirname.'/'.$file, $fname, $file_path);
      }
      else {
        if (file_exists($dirname.'/'.$fname)) {
          $file_path = $dirname.'/'.$fname;
          return;
        }
      }
    }
  }

} // find_file

// get full file path (including subfolders)
$file_path = '';
find_file(BASE_DIR, $fname, $file_path);

if (!is_file($file_path)) {
  die("File does not exist. Make sure you specified correct file name."); 
}

// file size in bytes
$fsize = filesize($file_path); 

// file extension
$fext = strtolower(substr(strrchr($fname,"."),1));

// check if allowed extension
if (!array_key_exists($fext, $allowed_ext)) {
  die("Not allowed file type."); 
}

// get mime type
if ($allowed_ext[$fext] == '') {
  $mtype = '';
  // mime type is not set, get from server settings
  if (function_exists('mime_content_type')) {
    $mtype = mime_content_type($file_path);
  }
  else if (function_exists('finfo_file')) {
    $finfo = finfo_open(FILEINFO_MIME); // return mime type
    $mtype = finfo_file($finfo, $file_path);
    finfo_close($finfo);  
  }
  if ($mtype == '') {
    $mtype = "application/force-download";
  }
}
else {
  // get mime type defined by admin
  $mtype = $allowed_ext[$fext];
}

// Browser will try to save file with this filename, regardless original filename.
// You can override it if needed.

if (!isset($_GET['fc']) || empty($_GET['fc'])) {
  $asfname = $fname;
}
else {
  // remove some bad chars
  $asfname = str_replace(array('"',"'",'\\','/'), '', $_GET['fc']);
  if ($asfname === '') $asfname = 'NoName';
}

// set headers
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Type: $mtype");
header("Content-Disposition: attachment; filename=\"$asfname\"");
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . $fsize);

// download
// @readfile($file_path);
$file = @fopen($file_path,"rb");
if ($file) {
  while(!feof($file)) {
    print(fread($file, 1024*);
    flush();
    if (connection_status()!=0) {
      @fclose($file);
      die();
    }
  }
  @fclose($file);
}

// log downloads
if (!LOG_DOWNLOADS) die();

$f = @fopen(LOG_FILE, 'a+');
if ($f) {
  @fputs($f, date("m.d.Y g:ia")."  ".$_SERVER['REMOTE_ADDR']."  ".$fname."\n");
  @fclose($f);
}

?>