Jump to content


Photo

Php Secure downloads


  • Please log in to reply
11 replies to this topic

#1 JamesRyzon

JamesRyzon
  • Members
  • PipPip
  • Member
  • 14 posts

Posted 25 June 2006 - 11:58 PM

Alright im going to try to explain my problem the best I can.

I have a registration system, and points system and stuff using Session Variables.

I have things for people to download but i want to require that they must download them by clicking links, not able to just navigate to the files on my webspace and download them.

I think it might require some messing with htaccess but im also brand new to this concept.

If anyone can help me out I would be very appriciative!

#2 Michael4172

Michael4172
  • Members
  • PipPipPip
  • Advanced Member
  • 41 posts

Posted 26 June 2006 - 06:09 AM

Are you wanting the user to be required to enter in a unique username and password in order to download the files on your site?

#3 JamesRyzon

JamesRyzon
  • Members
  • PipPip
  • Member
  • 14 posts

Posted 27 June 2006 - 04:28 AM

[!--quoteo(post=387929:date=Jun 26 2006, 02:09 AM:name=BigMike)--][div class=\'quotetop\']QUOTE(BigMike @ Jun 26 2006, 02:09 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Are you wanting the user to be required to enter in a unique username and password in order to download the files on your site?
[/quote]

Yes!

So far I have registration and everything down, and I can show the links only when they are logged in.


What im wanting to prevent, is smarter users finding a way to find the directory the files are in, and just simply accessing them outside of the website, ie: www.somesite.com/somedirectory/somefile.zip while not logged in.

#4 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 27 June 2006 - 04:31 AM

[!--quoteo(post=388355:date=Jun 27 2006, 04:28 AM:name=JamesRyzon)--][div class=\'quotetop\']QUOTE(JamesRyzon @ Jun 27 2006, 04:28 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Yes!

So far I have registration and everything down, and I can show the links only when they are logged in.
What im wanting to prevent, is smarter users finding a way to find the directory the files are in, and just simply accessing them outside of the website, ie: www.somesite.com/somedirectory/somefile.zip while not logged in.
[/quote]

The easy solution is to add a index.php in that folder.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#5 phpstuck

phpstuck
  • Members
  • PipPipPip
  • Advanced Member
  • 59 posts

Posted 27 June 2006 - 05:24 AM

Check out this reference.. I think with a little figuring you can htaccess protect the files so they can't be deep linked, shile still allowing logged in users to gain access without multiple log in screeens popping up each time.

[a href=\"http://forums.devshed.com/php-development-5/htaccess-and-php-16736.html\" target=\"_blank\"]http://forums.devshed.com/php-development-...-php-16736.html[/a]

#6 JamesRyzon

JamesRyzon
  • Members
  • PipPip
  • Member
  • 14 posts

Posted 29 June 2006 - 06:54 PM

[!--quoteo(post=388356:date=Jun 27 2006, 12:31 AM:name=redarrow)--][div class=\'quotetop\']QUOTE(redarrow @ Jun 27 2006, 12:31 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
The easy solution is to add a index.php in that folder.
[/quote]

Hey,

Thanks for the suggestion but that would just take away browsing the files in a "Structure". Thats not really what i was looking for.


[!--quoteo(post=388372:date=Jun 27 2006, 01:24 AM:name=phpstuck)--][div class=\'quotetop\']QUOTE(phpstuck @ Jun 27 2006, 01:24 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Check out this reference.. I think with a little figuring you can htaccess protect the files so they can't be deep linked, shile still allowing logged in users to gain access without multiple log in screeens popping up each time.

[a href=\"http://forums.devshed.com/php-development-5/htaccess-and-php-16736.html\" target=\"_blank\"]http://forums.devshed.com/php-development-...-php-16736.html[/a]
[/quote]

I read that, and I have login and stuff built into my php scripts (Memberlist and whatnot).

An example of what im looking for (But not entirely) Might be Rapidshare. The files can be uploaded, but the only way to download the files (In theory?) is through their interface.

Thanks.

#7 JamesRyzon

JamesRyzon
  • Members
  • PipPip
  • Member
  • 14 posts

Posted 02 July 2006 - 07:57 PM

Hoping this is allowed but im bumping the topic for a better explination (Didnt want to create a new thread, incase something in the thread helps someone else help me).

I was diving through php.net looking for solutions to my problem.

I found out that the main thing i wanted to do was make a button in PHP that will start some downloading and let the download link be controlled by me (So users who press "Download" can not see what directory or  where the file is coming from).

I found a few posts on php.net in the headers section (http://www.php.net/header) but none of them were exceptionally helpful in getting me towards a goal of files downloading via a php button, no no one could see.

Thanks



#8 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 02 July 2006 - 08:30 PM

This is what i came up with a time back, A user selects the file they want then you post a random number to there email address then they come back and enter the random number then they get the file
the file all the files are in zip format.

tell me what you think mate.


<?php 

  //connect database


    $sql_host =   'localhost';  //add host information here (localhost, mysql.host.com, etc.)
    $sql_un   =   'xxxx';  //add your user name here
    $sql_pass =   'xxxx';  //add your password here
    $sql_db   =   'xxxx';  //add your database name here
    $sql_tbl  =   'xxxx';  //add your counter table name here

    mysql_connect("$sql_host", "$sql_un", "$sql_pass") or die ("Could not connect to database");
    mysql_select_db($sql_db) or die ("Could not select database"); 



$length    = 16;
$key_chars = '0123456789';
$rand_max  = strlen($key_chars) - 1;

for ($i = 0; $i < $length; $i++)
{
   $rand_pos  = rand(0, $rand_max);
   $rand_key[] = $key_chars{$rand_pos};
}

$rand_pass = implode('', $rand_key);



$name = ($_POST['name']);
$filewanted = ($_POST['filewanted']);

$email = $_POST['email'];

if((!$email) OR (!checkemail($email))){ echo ' - You did not enter a valid e-mail address.'; }


 
if(!checkEmail($email)) { 
echo 'echo "<table align=center><td align=center><font color=gray><br>To '.$name.' You Did Not Enter A Valid E-mail Address Try Agin!</font>';
}
else {
echo '<table align=center><td alihn=center><font color=gray>Your Confirmation Code Has Been Emailed To You <br>Thank You '.$name.'</font>';
}
function checkemail($email){
return preg_match("/^[^\s()<>@,;:\"\/\[\]?=]+@\w[\w-]*(\.\w[\w-]*)*\.[a-z]{2,}$/i",$email);
}

if(isset($_POST['submit'])){

$query = "INSERT INTO user (id , name , email , filewanted , rand_pass) VALUES ( '$id' , '$name' , '$email' , '$filewanted' , '$rand_pass')";
$result = mysql_query($query) or die ("Error: ". mysql_error() . " with query $query");

}



$yoursite = "xxxx";
$webmaster = "xxx";
$youremail = $mail;
$from ="xxxx";

$subject = "You Requisted A Program In Php From $yoursite...";
$message = "Dear $name, you are now ready to download your program!. 
To download and enter your confirmation code, http://freesingles.a...st100/index.php

ref: $filewanted
Username: $name
confirmation code: $rand_pass
email address: $email
   
Please print this information out and store it for future reference.


              Advertise Here:
*********************************
*                                       
*     www.Your Site Here .com         
*                                         
*                                         
*********************************
   
Thanks,
$webmaster";

mail($email, $subject, $message, "From: $yoursite <$youremail>\nX-Mailer:PHP/" . phpversion());






?>


<html>
<body bgcolor="black">



<br>
<table bgcolor=gray width=35% height=55% align=center border=4>
<td align=center>
<table bgcolor=gray width=100% height=35% align=left border=0>
<tr>
<br>
<td align=center>
<a href='admin.php'><font color=black size=2><b>Admin</b></font></a>
</td>
</tr>
<td align=center>
<br><a href='index.php'><font color=black size=2><b>Enter Code</b></font></a></td>
</table>
<td align=center>


<table align=center width=100 height=35% border=0> 

<td align=center>

<form action='<? $PHP_SELF ?>'  method="post" name="form1">

</tr>

<tr align=center>

Name<input type="text" name="name"><br><br>

</tr>

<tr align=center>

Email<input type="text" name="email"><br><br>

</tr>

<tr align=center>

File Wanted<SELECT NAME="filewanted">
<OPTION VALUE="program_1.zip">Send All Emails
<OPTION VALUE="program_2.zip">
<OPTION VALUE="program_3.zip">
<OPTION VALUE="program_4.zip">
<OPTION VALUE="program_5.zip">
<OPTION VALUE="program_6.zip">
<OPTION VALUE="program_7.zip">
<OPTION VALUE="program_8.zip">
<OPTION VALUE="program_9.zip">
<OPTION VALUE="program_10.zip">
</SELECT><br><br>

<br><br>
<input type="submit" name="submit" value="Order Product" />

</form>
</table>
</html>
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#9 Guest_James-Ryzon_*

Guest_James-Ryzon_*
  • Guests

Posted 02 July 2006 - 10:39 PM

The code seems interesting. It could probably work for someones needs, but its a little over the top for what I am after.

I really just need something to make sure users can not see what directory the download is coming out of
for example sometimes in IE you can get

Downloading from: http://path.to/the/file/...../file.zip

and you have to go two or three directorys down to actually hide the file.

I was thinking of just popping a window and redirecting to the download, since i have a lot of other things I need to calculate before the download. I really hope this will be an acceptable method.

(Sorry did not login, and had already written the post)

#10 JamesRyzon

JamesRyzon
  • Members
  • PipPip
  • Member
  • 14 posts

Posted 03 July 2006 - 04:10 AM

Ugh bumping again.

The problem DOSENT Exist in firefox, but i dont want to shut out IE users. I used headers to build the download link and push to it, Firefox is fine since the link dosent show in the URL bar for some reason when they are redirected to a download.

Is there a way I can also do this in Internet Explorer? That would be the fix ive been looking for this entire time that would prevent a lot of silly hacking at files (been trying to use htaccess, but for some reason my host wont allow the deny,allow lines ;/)

Any help is much, MUCH appriciated on this topic!

#11 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 03 July 2006 - 04:56 AM

I have a method for you that will make a link for the user to click, and it calls another script with an id number and the script itself redirects to the file based on the id. It will not show the url in the address bar of the script, however, it will still show the full path to the file in question on the bottom of IE. The only way you can get rid of that is with js but even then, the user can simply disable js and they got it.  The bottom line is that there really is no way to completely hide the source from the user, because the client needs to know where the file is coming from, in order for the xfer to take place.  All you can really do is the methods you've already done:

-put locks on the folders the files are in.
-require a login system.
-requiring paid membership deters a lot of people
-use a script like the one below

another method also depends on how big your files are. If they are small, you can store the actual file in a database so that they will not actually be in a directory.  The user would click the link and the script would retrieve the data from the database and dynamically create the filename with the extension, dump the data in it, and then delete the file afterwards.  But that's only really going to work efficiently if your files are small.

Anyways, here is the code. This code assumes that you have a table in a database that has a list of files and id's associated with them.  The first code is the file that will have the link in it. Let's call it index.php for the hell of it:

index.php
<a href='getfile.php?id=1'>file 1</a>

yep, that's it.  it can be a plain old html file with a plain old link. I named it .php though cuz chances are you will have a whole lot of files and you probably want to dynamically make a list of links. 

okay so the other file is called getfile.php

getfile.php
<?php
$path_to_file = ""; //put the path to the file here

//if a link was clicked
if ($_GET['id']) {
   //you probably might want to sanitize this variable to your tastes
   $id = $_GET['id'];

   //here is an example query to get the filename by id
   $sql = "select filename from table where id='$id'";
   $rs = mysql_query($sql);
   $filename = mysql_fetch_array($rs);
   
   //if the file actually exists, redirect to the file
   if (is_file($path_to_file . $filename['filename'])) {
      header("Location:" . $path_to_file . $filename['filename']);
   } else { // ..if file not found, give an error message
       header("HTTP/1.1 404 Not Found");
   }
} else { // ..if no id passed, give an error
   header("HTTP/1.0 404 Not Found");
}
?> 


Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#12 JamesRyzon

JamesRyzon
  • Members
  • PipPip
  • Member
  • 14 posts

Posted 03 July 2006 - 06:54 AM

I have a method for you that will make a link for the user to click, and it calls another script with an id number and the script itself redirects to the file based on the id. It will not show the url in the address bar of the script, however, it will still show the full path to the file in question on the bottom of IE. The only way you can get rid of that is with js but even then, the user can simply disable js and they got it.  The bottom line is that there really is no way to completely hide the source from the user, because the client needs to know where the file is coming from, in order for the xfer to take place.  All you can really do is the methods you've already done:

-put locks on the folders the files are in.
-require a login system.
-requiring paid membership deters a lot of people
-use a script like the one below

another method also depends on how big your files are. If they are small, you can store the actual file in a database so that they will not actually be in a directory.  The user would click the link and the script would retrieve the data from the database and dynamically create the filename with the extension, dump the data in it, and then delete the file afterwards.  But that's only really going to work efficiently if your files are small.

Anyways, here is the code. This code assumes that you have a table in a database that has a list of files and id's associated with them.  The first code is the file that will have the link in it. Let's call it index.php for the hell of it:

index.php

<a href='getfile.php?id=1'>file 1</a>

yep, that's it.  it can be a plain old html file with a plain old link. I named it .php though cuz chances are you will have a whole lot of files and you probably want to dynamically make a list of links. 

okay so the other file is called getfile.php

getfile.php
<?php
$path_to_file = ""; //put the path to the file here

//if a link was clicked
if ($_GET['id']) {
   //you probably might want to sanitize this variable to your tastes
   $id = $_GET['id'];

   //here is an example query to get the filename by id
   $sql = "select filename from table where id='$id'";
   $rs = mysql_query($sql);
   $filename = mysql_fetch_array($rs);
   
   //if the file actually exists, redirect to the file
   if (is_file($path_to_file . $filename['filename'])) {
      header("Location:" . $path_to_file . $filename['filename']);
   } else { // ..if file not found, give an error message
       header("HTTP/1.1 404 Not Found");
   }
} else { // ..if no id passed, give an error
   header("HTTP/1.0 404 Not Found");
}
?> 


Thank you for the post, and that was what I was doing the entire time really. I appriciate the input and the code you posted looks a lot like what I ended up doing.

I agree with you on one thing there is no perfect way to make every browser happy. Ive decided the deographic I am shooting for on my website really would not be concerned with things like Getting a Download that does not log to the system (So i can rank the top 10 downloads).

Its a very weird world out there, and there is nothing perfect. I was just hoping someone had a magic fix for IE that I had not heard of before.

Thanks for everyones time and I hope something in this thread helps someone else figure out their problem, or come to the realization that they may just have to settle and hope that something improves over time :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users