[SOLVED] stop a user typing in a direct path to download a file

[jesushax]

hi all,

i was wondering how id go about stopping a user typing in a direct path to download a file, i want it so they have to be logged in then click the link from a logged in page only then will it download

 

anyone help me out?

Cheers

[trq]

Once you have a login only area setup its easy enough to do using the 'force download' script found in the Faq / Snippet Repository board.

[jesushax]

no i dont want to force them to download

 

i want to stop anonymous users from typing in a file path and being able to download a file

if they are a registered users they can click downloads then it will work

 

so if someone typed in the url www.site.com/downloads/videos/thisvideo.mpg it would say not allowed your not a member

 

but if you went to www.site.com logged into members area then clicked downloads > videos > thisvideo.mpg they would e allowed

 

Thanks

[Adam]

Use a script to retrieve the file, but store the original in a directory not accessible from a browser (i.e. outside of the public_html / htdocs dir).

[jesushax]

i dont think i can do that, im not in control of our web host :|

[trq]

no i dont want to force them to download

 

i want to stop anonymous users from typing in a file path and being able to download a file

if they are a registered users they can click downloads then it will work

 

so if someone typed in the url www.site.com/downloads/videos/thisvideo.mpg it would say not allowed your not a member

 

but if you went to www.site.com logged into members area then clicked downloads > videos > thisvideo.mpg they would e allowed

 

Thanks

 

In order to do that the easiest way is to store the files outside of your web root, then use a force download script to allow logged in members to retrieve the files. I don't make suggestions if I don't think there not valid (most of the time anyways).

[trq]

i dont think i can do that, im not in control of our web host :|

 

Why don't you check with your host to see of you have access to a directory outside of your web root? If you don't, I'd be looking for a better host.

[Adam]

Your web host should allow you to stores files outside of the web root. When you login through an FTP client, do you have to drill through to "htdocs" or "public_html" (or something similar)?

[jesushax]

ive emailed my host, hopeully theyll get a folder set up for me

 

regards to the script for logged in users what would this look like?

 

Cheers

[trq]

ive emailed my host, hopeully theyll get a folder set up for me

 

regards to the script for logged in users what would this look like?

 

Cheers

 

That's not something thats going to be covered in a simple forum reply. Should be literally thousands of examples of php login scripts around if you search.

[jesushax]

no no not the login script i wrote my own for that, i fairly proficent with php

 

i mean the script call a file from the folder outside of my root

 

cheers

[trq]

I already pointed you to an example that should get you started.

[jesushax]

the force downloads script?

 

http://www.phpfreaks.com/forums/index.php/topic,95433.0.html

 

i dont want to force a download

 

i need to know how to reference a folder out of the root directory

 

Cheers

[trq]

the force downloads script?

 

http://www.phpfreaks.com/forums/index.php/topic,95433.0.html

 

i dont want to force a download

 

i need to know how to reference a folder out of the root directory

 

Cheers

 

You can't, you need to have a script fetch the file for you.

[jesushax]

what script shall i google for?

 

Thanks

[trq]

Your not getting it at all are you?

[jesushax]

Your not getting it at all are you?

 

getting what?

 

i just want to know where i can get the script to reference a file outside of the root?

 

i dont understand what you mean... :S

[trq]

The force download script does exactly what you want.

[jesushax]

oh right...

 

so i create ahyperlink to the force download page and that will open the file i want it too

 

what do i edit to make it choose the right file, i can see something commented out but i don tknow what that means

 

<?php

// force to download a file
// ex, ( [url=http://localhost/php/download.php?file=C:/Apache]http://localhost/php/download.php?file=C:/Apache[/url] Group/Apache2/hongkong.php )
// hope this can save your time :-)

$file = $_REQUEST['file'];

header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 

header("Content-Type: application/force-download");
header( "Content-Disposition: attachment; filename=".basename($file));

header( "Content-Description: File Transfer");
@readfile($file);

?>

[trq]

I'll give you an example.

 

download.php

<?php

session_start();

// check user is logged in.
if (!$_SESSION['islogged'])) {
  die("You do not have permission to download files");
}

$file = $_GET['file'];

// the absolute path to your directory storing your files.
$path = '/home/username/files/';

$download = $path.$file;

header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 
header("Content-Type: application/force-download");
header( "Content-Disposition: attachment; filename=".$download);
header( "Content-Description: File Transfer");
@readfile($file);

?>

 

Now, given the address http://yoursite.com/dowload.php?file=foo.jpg your logged in user would get the file located at /home/username/files/foo.jpg. Comparatively, your web root would be within /home/username/htdocs or somewhere similar.

[jesushax]

thanks

 

now i get you