JamesRyzon Posted June 25, 2006 Share Posted June 25, 2006 Alright im going to try to explain my problem the best I can.I have a registration system, and points system and stuff using Session Variables.I have things for people to download but i want to require that they must download them by clicking links, not able to just navigate to the files on my webspace and download them.I think it might require some messing with htaccess but im also brand new to this concept.If anyone can help me out I would be very appriciative! Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/ Share on other sites More sharing options...
Michael4172 Posted June 26, 2006 Share Posted June 26, 2006 Are you wanting the user to be required to enter in a unique username and password in order to download the files on your site? Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-49537 Share on other sites More sharing options...
JamesRyzon Posted June 27, 2006 Author Share Posted June 27, 2006 [!--quoteo(post=387929:date=Jun 26 2006, 02:09 AM:name=BigMike)--][div class=\'quotetop\']QUOTE(BigMike @ Jun 26 2006, 02:09 AM) [snapback]387929[/snapback][/div][div class=\'quotemain\'][!--quotec--]Are you wanting the user to be required to enter in a unique username and password in order to download the files on your site?[/quote]Yes!So far I have registration and everything down, and I can show the links only when they are logged in.What im wanting to prevent, is smarter users finding a way to find the directory the files are in, and just simply accessing them outside of the website, ie: www.somesite.com/somedirectory/somefile.zip while not logged in. Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-49944 Share on other sites More sharing options...
redarrow Posted June 27, 2006 Share Posted June 27, 2006 [!--quoteo(post=388355:date=Jun 27 2006, 04:28 AM:name=JamesRyzon)--][div class=\'quotetop\']QUOTE(JamesRyzon @ Jun 27 2006, 04:28 AM) [snapback]388355[/snapback][/div][div class=\'quotemain\'][!--quotec--]Yes!So far I have registration and everything down, and I can show the links only when they are logged in.What im wanting to prevent, is smarter users finding a way to find the directory the files are in, and just simply accessing them outside of the website, ie: www.somesite.com/somedirectory/somefile.zip while not logged in.[/quote]The easy solution is to add a index.php in that folder. Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-49945 Share on other sites More sharing options...
phpstuck Posted June 27, 2006 Share Posted June 27, 2006 Check out this reference.. I think with a little figuring you can htaccess protect the files so they can't be deep linked, shile still allowing logged in users to gain access without multiple log in screeens popping up each time.[a href=\"http://forums.devshed.com/php-development-5/htaccess-and-php-16736.html\" target=\"_blank\"]http://forums.devshed.com/php-development-...-php-16736.html[/a] Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-49960 Share on other sites More sharing options...
JamesRyzon Posted June 29, 2006 Author Share Posted June 29, 2006 [!--quoteo(post=388356:date=Jun 27 2006, 12:31 AM:name=redarrow)--][div class=\'quotetop\']QUOTE(redarrow @ Jun 27 2006, 12:31 AM) [snapback]388356[/snapback][/div][div class=\'quotemain\'][!--quotec--]The easy solution is to add a index.php in that folder.[/quote]Hey,Thanks for the suggestion but that would just take away browsing the files in a "Structure". Thats not really what i was looking for.[!--quoteo(post=388372:date=Jun 27 2006, 01:24 AM:name=phpstuck)--][div class=\'quotetop\']QUOTE(phpstuck @ Jun 27 2006, 01:24 AM) [snapback]388372[/snapback][/div][div class=\'quotemain\'][!--quotec--]Check out this reference.. I think with a little figuring you can htaccess protect the files so they can't be deep linked, shile still allowing logged in users to gain access without multiple log in screeens popping up each time.[a href=\"http://forums.devshed.com/php-development-5/htaccess-and-php-16736.html\" target=\"_blank\"]http://forums.devshed.com/php-development-...-php-16736.html[/a][/quote]I read that, and I have login and stuff built into my php scripts (Memberlist and whatnot). An example of what im looking for (But not entirely) Might be Rapidshare. The files can be uploaded, but the only way to download the files (In theory?) is through their interface.Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-50958 Share on other sites More sharing options...
JamesRyzon Posted July 2, 2006 Author Share Posted July 2, 2006 Hoping this is allowed but im bumping the topic for a better explination (Didnt want to create a new thread, incase something in the thread helps someone else help me).I was diving through php.net looking for solutions to my problem.I found out that the main thing i wanted to do was make a button in PHP that will start some downloading and let the download link be controlled by me (So users who press "Download" can not see what directory or where the file is coming from).I found a few posts on php.net in the headers section (http://www.php.net/header) but none of them were exceptionally helpful in getting me towards a goal of files downloading via a php button, no no one could see.Thanks Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-52183 Share on other sites More sharing options...
redarrow Posted July 2, 2006 Share Posted July 2, 2006 This is what i came up with a time back, A user selects the file they want then you post a random number to there email address then they come back and enter the random number then they get the filethe file all the files are in zip format.tell me what you think mate.<?php //connect database $sql_host = 'localhost'; //add host information here (localhost, mysql.host.com, etc.) $sql_un = 'xxxx'; //add your user name here $sql_pass = 'xxxx'; //add your password here $sql_db = 'xxxx'; //add your database name here $sql_tbl = 'xxxx'; //add your counter table name here mysql_connect("$sql_host", "$sql_un", "$sql_pass") or die ("Could not connect to database"); mysql_select_db($sql_db) or die ("Could not select database"); $length = 16;$key_chars = '0123456789';$rand_max = strlen($key_chars) - 1;for ($i = 0; $i < $length; $i++){ $rand_pos = rand(0, $rand_max); $rand_key[] = $key_chars{$rand_pos};}$rand_pass = implode('', $rand_key);$name = ($_POST['name']);$filewanted = ($_POST['filewanted']);$email = $_POST['email'];if((!$email) OR (!checkemail($email))){ echo ' - You did not enter a valid e-mail address.'; } if(!checkEmail($email)) { echo 'echo "<table align=center><td align=center><font color=gray><br>To '.$name.' You Did Not Enter A Valid E-mail Address Try Agin!</font>';}else { echo '<table align=center><td alihn=center><font color=gray>Your Confirmation Code Has Been Emailed To You <br>Thank You '.$name.'</font>';}function checkemail($email){ return preg_match("/^[^\s()<>@,;:\"\/\[\]?=]+@\w[\w-]*(\.\w[\w-]*)*\.[a-z]{2,}$/i",$email); }if(isset($_POST['submit'])){$query = "INSERT INTO user (id , name , email , filewanted , rand_pass) VALUES ( '$id' , '$name' , '$email' , '$filewanted' , '$rand_pass')";$result = mysql_query($query) or die ("Error: ". mysql_error() . " with query $query");}$yoursite = "xxxx";$webmaster = "xxx";$youremail = $mail;$from ="xxxx";$subject = "You Requisted A Program In Php From $yoursite...";$message = "Dear $name, you are now ready to download your program!. To download and enter your confirmation code, http://freesingles.ath.cx/test100/index.phpref: $filewantedUsername: $nameconfirmation code: $rand_passemail address: $email Please print this information out and store it for future reference. Advertise Here:********************************** * www.Your Site Here .com * * ********************************* Thanks,$webmaster";mail($email, $subject, $message, "From: $yoursite <$youremail>\nX-Mailer:PHP/" . phpversion());?><html><body bgcolor="black"><br><table bgcolor=gray width=35% height=55% align=center border=4> <td align=center><table bgcolor=gray width=100% height=35% align=left border=0> <tr><br><td align=center><a href='admin.php'><font color=black size=2><b>Admin</b></font></a></td></tr><td align=center><br><a href='index.php'><font color=black size=2><b>Enter Code</b></font></a></td></table> <td align=center><table align=center width=100 height=35% border=0> <td align=center><form action='<? $PHP_SELF ?>' method="post" name="form1"></tr><tr align=center>Name<input type="text" name="name"><br><br></tr><tr align=center>Email<input type="text" name="email"><br><br></tr><tr align=center>File Wanted<SELECT NAME="filewanted"><OPTION VALUE="program_1.zip">Send All Emails<OPTION VALUE="program_2.zip"><OPTION VALUE="program_3.zip"><OPTION VALUE="program_4.zip"><OPTION VALUE="program_5.zip"><OPTION VALUE="program_6.zip"><OPTION VALUE="program_7.zip"><OPTION VALUE="program_8.zip"><OPTION VALUE="program_9.zip"><OPTION VALUE="program_10.zip"></SELECT><br><br><br><br><input type="submit" name="submit" value="Order Product" /></form></table></html> Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-52197 Share on other sites More sharing options...
Guest James-Ryzon Posted July 2, 2006 Share Posted July 2, 2006 The code seems interesting. It could probably work for someones needs, but its a little over the top for what I am after.I really just need something to make sure users can not see what directory the download is coming out offor example sometimes in IE you can getDownloading from: http://path.to/the/file/...../file.zipand you have to go two or three directorys down to actually hide the file.I was thinking of just popping a window and redirecting to the download, since i have a lot of other things I need to calculate before the download. I really hope this will be an acceptable method.(Sorry did not login, and had already written the post) Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-52240 Share on other sites More sharing options...
JamesRyzon Posted July 3, 2006 Author Share Posted July 3, 2006 Ugh bumping again.The problem DOSENT Exist in firefox, but i dont want to shut out IE users. I used headers to build the download link and push to it, Firefox is fine since the link dosent show in the URL bar for some reason when they are redirected to a download.Is there a way I can also do this in Internet Explorer? That would be the fix ive been looking for this entire time that would prevent a lot of silly hacking at files (been trying to use htaccess, but for some reason my host wont allow the deny,allow lines ;/)Any help is much, MUCH appriciated on this topic! Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-52299 Share on other sites More sharing options...
.josh Posted July 3, 2006 Share Posted July 3, 2006 I have a method for you that will make a link for the user to click, and it calls another script with an id number and the script itself redirects to the file based on the id. It will not show the url in the address bar of the script, however, it will still show the full path to the file in question on the bottom of IE. The only way you can get rid of that is with js but even then, the user can simply disable js and they got it. The bottom line is that there really is no way to completely hide the source from the user, because the client needs to know where the file is coming from, in order for the xfer to take place. All you can really do is the methods you've already done:-put locks on the folders the files are in. -require a login system.-requiring paid membership deters a lot of people-use a script like the one belowanother method also depends on how big your files are. If they are small, you can store the actual file in a database so that they will not actually be in a directory. The user would click the link and the script would retrieve the data from the database and dynamically create the filename with the extension, dump the data in it, and then delete the file afterwards. But that's only really going to work efficiently if your files are small. Anyways, here is the code. This code assumes that you have a table in a database that has a list of files and id's associated with them. The first code is the file that will have the link in it. Let's call it index.php for the hell of it:index.php[code]<a href='getfile.php?id=1'>file 1</a>[/code]yep, that's it. it can be a plain old html file with a plain old link. I named it .php though cuz chances are you will have a whole lot of files and you probably want to dynamically make a list of links. okay so the other file is called getfile.phpgetfile.php[code]<?php$path_to_file = ""; //put the path to the file here//if a link was clickedif ($_GET['id']) { //you probably might want to sanitize this variable to your tastes $id = $_GET['id']; //here is an example query to get the filename by id $sql = "select filename from table where id='$id'"; $rs = mysql_query($sql); $filename = mysql_fetch_array($rs); //if the file actually exists, redirect to the file if (is_file($path_to_file . $filename['filename'])) { header("Location:" . $path_to_file . $filename['filename']); } else { // ..if file not found, give an error message header("HTTP/1.1 404 Not Found"); }} else { // ..if no id passed, give an error header("HTTP/1.0 404 Not Found");}?> [/code] Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-52307 Share on other sites More sharing options...
JamesRyzon Posted July 3, 2006 Author Share Posted July 3, 2006 [quote author=Crayon Violent link=topic=96817.msg390824#msg390824 date=1151902605]I have a method for you that will make a link for the user to click, and it calls another script with an id number and the script itself redirects to the file based on the id. It will not show the url in the address bar of the script, however, it will still show the full path to the file in question on the bottom of IE. The only way you can get rid of that is with js but even then, the user can simply disable js and they got it. The bottom line is that there really is no way to completely hide the source from the user, because the client needs to know where the file is coming from, in order for the xfer to take place. All you can really do is the methods you've already done:-put locks on the folders the files are in. -require a login system.-requiring paid membership deters a lot of people-use a script like the one belowanother method also depends on how big your files are. If they are small, you can store the actual file in a database so that they will not actually be in a directory. The user would click the link and the script would retrieve the data from the database and dynamically create the filename with the extension, dump the data in it, and then delete the file afterwards. But that's only really going to work efficiently if your files are small. Anyways, here is the code. This code assumes that you have a table in a database that has a list of files and id's associated with them. The first code is the file that will have the link in it. Let's call it index.php for the hell of it:index.php[code]<a href='getfile.php?id=1'>file 1</a>[/code]yep, that's it. it can be a plain old html file with a plain old link. I named it .php though cuz chances are you will have a whole lot of files and you probably want to dynamically make a list of links. okay so the other file is called getfile.phpgetfile.php[code]<?php$path_to_file = ""; //put the path to the file here//if a link was clickedif ($_GET['id']) { //you probably might want to sanitize this variable to your tastes $id = $_GET['id']; //here is an example query to get the filename by id $sql = "select filename from table where id='$id'"; $rs = mysql_query($sql); $filename = mysql_fetch_array($rs); //if the file actually exists, redirect to the file if (is_file($path_to_file . $filename['filename'])) { header("Location:" . $path_to_file . $filename['filename']); } else { // ..if file not found, give an error message header("HTTP/1.1 404 Not Found"); }} else { // ..if no id passed, give an error header("HTTP/1.0 404 Not Found");}?> [/code][/quote]Thank you for the post, and that was what I was doing the entire time really. I appriciate the input and the code you posted looks a lot like what I ended up doing.I agree with you on one thing there is no perfect way to make every browser happy. Ive decided the deographic I am shooting for on my website really would not be concerned with things like Getting a Download that does not log to the system (So i can rank the top 10 downloads).Its a very weird world out there, and there is nothing perfect. I was just hoping someone had a magic fix for IE that I had not heard of before. Thanks for everyones time and I hope something in this thread helps someone else figure out their problem, or come to the realization that they may just have to settle and hope that something improves over time :D Quote Link to comment https://forums.phpfreaks.com/topic/12890-php-secure-downloads/#findComment-52369 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.