Php Secure downloads

[JamesRyzon]

Alright im going to try to explain my problem the best I can.

I have a registration system, and points system and stuff using Session Variables.

I have things for people to download but i want to require that they must download them by clicking links, not able to just navigate to the files on my webspace and download them.

I think it might require some messing with htaccess but im also brand new to this concept.

If anyone can help me out I would be very appriciative!

[Michael4172]

Are you wanting the user to be required to enter in a unique username and password in order to download the files on your site?

[JamesRyzon]

[!--quoteo(post=387929:date=Jun 26 2006, 02:09 AM:name=BigMike)--][div class=\'quotetop\']QUOTE(BigMike @ Jun 26 2006, 02:09 AM) [snapback]387929[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Are you wanting the user to be required to enter in a unique username and password in order to download the files on your site?
[/quote]

Yes!

So far I have registration and everything down, and I can show the links only when they are logged in.


What im wanting to prevent, is smarter users finding a way to find the directory the files are in, and just simply accessing them outside of the website, ie: www.somesite.com/somedirectory/somefile.zip while not logged in.

[redarrow]

[!--quoteo(post=388355:date=Jun 27 2006, 04:28 AM:name=JamesRyzon)--][div class=\'quotetop\']QUOTE(JamesRyzon @ Jun 27 2006, 04:28 AM) [snapback]388355[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Yes!

So far I have registration and everything down, and I can show the links only when they are logged in.
What im wanting to prevent, is smarter users finding a way to find the directory the files are in, and just simply accessing them outside of the website, ie: www.somesite.com/somedirectory/somefile.zip while not logged in.
[/quote]

The easy solution is to add a index.php in that folder.

[phpstuck]

Check out this reference.. I think with a little figuring you can htaccess protect the files so they can't be deep linked, shile still allowing logged in users to gain access without multiple log in screeens popping up each time.

[a href=\"http://forums.devshed.com/php-development-5/htaccess-and-php-16736.html\" target=\"_blank\"]http://forums.devshed.com/php-development-...-php-16736.html[/a]

[JamesRyzon]

[!--quoteo(post=388356:date=Jun 27 2006, 12:31 AM:name=redarrow)--][div class=\'quotetop\']QUOTE(redarrow @ Jun 27 2006, 12:31 AM) [snapback]388356[/snapback][/div][div class=\'quotemain\'][!--quotec--]
The easy solution is to add a index.php in that folder.
[/quote]

Hey,

Thanks for the suggestion but that would just take away browsing the files in a "Structure". Thats not really what i was looking for.


[!--quoteo(post=388372:date=Jun 27 2006, 01:24 AM:name=phpstuck)--][div class=\'quotetop\']QUOTE(phpstuck @ Jun 27 2006, 01:24 AM) [snapback]388372[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Check out this reference.. I think with a little figuring you can htaccess protect the files so they can't be deep linked, shile still allowing logged in users to gain access without multiple log in screeens popping up each time.

[a href=\"http://forums.devshed.com/php-development-5/htaccess-and-php-16736.html\" target=\"_blank\"]http://forums.devshed.com/php-development-...-php-16736.html[/a]
[/quote]

I read that, and I have login and stuff built into my php scripts (Memberlist and whatnot).

An example of what im looking for (But not entirely) Might be Rapidshare. The files can be uploaded, but the only way to download the files (In theory?) is through their interface.

Thanks.

[JamesRyzon]

Hoping this is allowed but im bumping the topic for a better explination (Didnt want to create a new thread, incase something in the thread helps someone else help me).

I was diving through php.net looking for solutions to my problem.

I found out that the main thing i wanted to do was make a button in PHP that will start some downloading and let the download link be controlled by me (So users who press "Download" can not see what directory or  where the file is coming from).

I found a few posts on php.net in the headers section (http://www.php.net/header) but none of them were exceptionally helpful in getting me towards a goal of files downloading via a php button, no no one could see.

Thanks

[redarrow]

This is what i came up with a time back, A user selects the file they want then you post a random number to there email address then they come back and enter the random number then they get the file
the file all the files are in zip format.

tell me what you think mate.


<?php 

  //connect database


    $sql_host =   'localhost';  //add host information here (localhost, mysql.host.com, etc.)
    $sql_un   =   'xxxx';  //add your user name here
    $sql_pass =   'xxxx';  //add your password here
    $sql_db   =   'xxxx';  //add your database name here
    $sql_tbl  =   'xxxx';  //add your counter table name here

    mysql_connect("$sql_host", "$sql_un", "$sql_pass") or die ("Could not connect to database");
    mysql_select_db($sql_db) or die ("Could not select database"); 



$length    = 16;
$key_chars = '0123456789';
$rand_max  = strlen($key_chars) - 1;

for ($i = 0; $i < $length; $i++)
{
   $rand_pos  = rand(0, $rand_max);
   $rand_key[] = $key_chars{$rand_pos};
}

$rand_pass = implode('', $rand_key);



$name = ($_POST['name']);
$filewanted = ($_POST['filewanted']);

$email = $_POST['email'];

if((!$email) OR (!checkemail($email))){ echo ' - You did not enter a valid e-mail address.'; }


 
if(!checkEmail($email)) { 
echo 'echo "<table align=center><td align=center><font color=gray><br>To '.$name.' You Did Not Enter A Valid E-mail Address Try Agin!</font>';
}
else {
echo '<table align=center><td alihn=center><font color=gray>Your Confirmation Code Has Been Emailed To You <br>Thank You '.$name.'</font>';
}
function checkemail($email){
return preg_match("/^[^\s()<>@,;:\"\/\[\]?=]+@\w[\w-]*(\.\w[\w-]*)*\.[a-z]{2,}$/i",$email);
}

if(isset($_POST['submit'])){

$query = "INSERT INTO user (id , name , email , filewanted , rand_pass) VALUES ( '$id' , '$name' , '$email' , '$filewanted' , '$rand_pass')";
$result = mysql_query($query) or die ("Error: ". mysql_error() . " with query $query");

}



$yoursite = "xxxx";
$webmaster = "xxx";
$youremail = $mail;
$from ="xxxx";

$subject = "You Requisted A Program In Php From $yoursite...";
$message = "Dear $name, you are now ready to download your program!. 
To download and enter your confirmation code, http://freesingles.ath.cx/test100/index.php

ref: $filewanted
Username: $name
confirmation code: $rand_pass
email address: $email
   
Please print this information out and store it for future reference.


              Advertise Here:
*********************************
*                                       
*     www.Your Site Here .com         
*                                         
*                                         
*********************************
   
Thanks,
$webmaster";

mail($email, $subject, $message, "From: $yoursite <$youremail>\nX-Mailer:PHP/" . phpversion());






?>


<html>
<body bgcolor="black">



<br>
<table bgcolor=gray width=35% height=55% align=center border=4>
<td align=center>
<table bgcolor=gray width=100% height=35% align=left border=0>
<tr>
<br>
<td align=center>
<a href='admin.php'><font color=black size=2><b>Admin</b></font></a>
</td>
</tr>
<td align=center>
<br><a href='index.php'><font color=black size=2><b>Enter Code</b></font></a></td>
</table>
<td align=center>


<table align=center width=100 height=35% border=0> 

<td align=center>

<form action='<? $PHP_SELF ?>'  method="post" name="form1">

</tr>

<tr align=center>

Name<input type="text" name="name"><br><br>

</tr>

<tr align=center>

Email<input type="text" name="email"><br><br>

</tr>

<tr align=center>

File Wanted<SELECT NAME="filewanted">
<OPTION VALUE="program_1.zip">Send All Emails
<OPTION VALUE="program_2.zip">
<OPTION VALUE="program_3.zip">
<OPTION VALUE="program_4.zip">
<OPTION VALUE="program_5.zip">
<OPTION VALUE="program_6.zip">
<OPTION VALUE="program_7.zip">
<OPTION VALUE="program_8.zip">
<OPTION VALUE="program_9.zip">
<OPTION VALUE="program_10.zip">
</SELECT><br><br>

<br><br>
<input type="submit" name="submit" value="Order Product" />

</form>
</table>
</html>

[Guest James-Ryzon]

The code seems interesting. It could probably work for someones needs, but its a little over the top for what I am after.

I really just need something to make sure users can not see what directory the download is coming out of
for example sometimes in IE you can get

Downloading from: http://path.to/the/file/...../file.zip

and you have to go two or three directorys down to actually hide the file.

I was thinking of just popping a window and redirecting to the download, since i have a lot of other things I need to calculate before the download. I really hope this will be an acceptable method.

(Sorry did not login, and had already written the post)

[JamesRyzon]

Ugh bumping again.

The problem DOSENT Exist in firefox, but i dont want to shut out IE users. I used headers to build the download link and push to it, Firefox is fine since the link dosent show in the URL bar for some reason when they are redirected to a download.

Is there a way I can also do this in Internet Explorer? That would be the fix ive been looking for this entire time that would prevent a lot of silly hacking at files (been trying to use htaccess, but for some reason my host wont allow the deny,allow lines ;/)

Any help is much, MUCH appriciated on this topic!

[.josh]

I have a method for you that will make a link for the user to click, and it calls another script with an id number and the script itself redirects to the file based on the id. It will not show the url in the address bar of the script, however, it will still show the full path to the file in question on the bottom of IE. The only way you can get rid of that is with js but even then, the user can simply disable js and they got it.  The bottom line is that there really is no way to completely hide the source from the user, because the client needs to know where the file is coming from, in order for the xfer to take place.  All you can really do is the methods you've already done:

-put locks on the folders the files are in.
-require a login system.
-requiring paid membership deters a lot of people
-use a script like the one below

another method also depends on how big your files are. If they are small, you can store the actual file in a database so that they will not actually be in a directory.  The user would click the link and the script would retrieve the data from the database and dynamically create the filename with the extension, dump the data in it, and then delete the file afterwards.  But that's only really going to work efficiently if your files are small.

Anyways, here is the code. This code assumes that you have a table in a database that has a list of files and id's associated with them.  The first code is the file that will have the link in it. Let's call it index.php for the hell of it:

index.php
[code]
<a href='getfile.php?id=1'>file 1</a>
[/code]

yep, that's it.  it can be a plain old html file with a plain old link. I named it .php though cuz chances are you will have a whole lot of files and you probably want to dynamically make a list of links. 

okay so the other file is called getfile.php

getfile.php
[code]
<?php
$path_to_file = ""; //put the path to the file here

//if a link was clicked
if ($_GET['id']) {
  //you probably might want to sanitize this variable to your tastes
  $id = $_GET['id'];

  //here is an example query to get the filename by id
  $sql = "select filename from table where id='$id'";
  $rs = mysql_query($sql);
  $filename = mysql_fetch_array($rs);
 
  //if the file actually exists, redirect to the file
  if (is_file($path_to_file . $filename['filename'])) {
      header("Location:" . $path_to_file . $filename['filename']);
  } else { // ..if file not found, give an error message
      header("HTTP/1.1 404 Not Found");
  }
} else { // ..if no id passed, give an error
  header("HTTP/1.0 404 Not Found");
}
?>
[/code]

[JamesRyzon]

[quote author=Crayon Violent link=topic=96817.msg390824#msg390824 date=1151902605]
I have a method for you that will make a link for the user to click, and it calls another script with an id number and the script itself redirects to the file based on the id. It will not show the url in the address bar of the script, however, it will still show the full path to the file in question on the bottom of IE. The only way you can get rid of that is with js but even then, the user can simply disable js and they got it.  The bottom line is that there really is no way to completely hide the source from the user, because the client needs to know where the file is coming from, in order for the xfer to take place.  All you can really do is the methods you've already done:

-put locks on the folders the files are in.
-require a login system.
-requiring paid membership deters a lot of people
-use a script like the one below

another method also depends on how big your files are. If they are small, you can store the actual file in a database so that they will not actually be in a directory.  The user would click the link and the script would retrieve the data from the database and dynamically create the filename with the extension, dump the data in it, and then delete the file afterwards.  But that's only really going to work efficiently if your files are small.

Anyways, here is the code. This code assumes that you have a table in a database that has a list of files and id's associated with them.  The first code is the file that will have the link in it. Let's call it index.php for the hell of it:

index.php
[code]
<a href='getfile.php?id=1'>file 1</a>
[/code]

yep, that's it.  it can be a plain old html file with a plain old link. I named it .php though cuz chances are you will have a whole lot of files and you probably want to dynamically make a list of links. 

okay so the other file is called getfile.php

getfile.php
[code]
<?php
$path_to_file = ""; //put the path to the file here

//if a link was clicked
if ($_GET['id']) {
  //you probably might want to sanitize this variable to your tastes
  $id = $_GET['id'];

  //here is an example query to get the filename by id
  $sql = "select filename from table where id='$id'";
  $rs = mysql_query($sql);
  $filename = mysql_fetch_array($rs);
 
  //if the file actually exists, redirect to the file
  if (is_file($path_to_file . $filename['filename'])) {
      header("Location:" . $path_to_file . $filename['filename']);
  } else { // ..if file not found, give an error message
      header("HTTP/1.1 404 Not Found");
  }
} else { // ..if no id passed, give an error
  header("HTTP/1.0 404 Not Found");
}
?>
[/code]
[/quote]

Thank you for the post, and that was what I was doing the entire time really. I appriciate the input and the code you posted looks a lot like what I ended up doing.

I agree with you on one thing there is no perfect way to make every browser happy. Ive decided the deographic I am shooting for on my website really would not be concerned with things like Getting a Download that does not log to the system (So i can rank the top 10 downloads).

Its a very weird world out there, and there is nothing perfect. I was just hoping someone had a magic fix for IE that I had not heard of before.

Thanks for everyones time and I hope something in this thread helps someone else figure out their problem, or come to the realization that they may just have to settle and hope that something improves over time :D