php download without link

[EchoFool]

is there a php function that can initial a download to the user without showing the download link?

 

Say a link took a user to a page which filename.exe was going to be downloaded, im trying to get it so the php can make that happen without showing the location of the filename.exe and so when they view the page it will jsut pop up on their browser asking them where to save?

 

 

Is that possible without revealing the .exe location on the server?

[TeddyKiller]

I'm not sure.. but maybe you can include the file name.

eg: include("file.exe");

[the182guy]

A common way of doing this is to use a HTML <iframe src="http://example.com/myfile.exe"></iframe> on the page which links to the file to download. That way when the page is loaded, the download will popup automatically.

[ignace]

A common way

 

Not where I live we use readfile & header + if that is your common way to protect your files then no wonder so much warez is around they can just copy-paste the real location of the file from the source.

[the182guy]

A common way

 

Not where I live we use readfile & header + if that is your common way to protect your files then no wonder so much warez is around they can just copy-paste the real location of the file from the source.

 

Meaning a common way of easily automatically starting a download on a page with normal content. If you want to hide the filename then I'd of thought that it would go without saying that putting it directly in the HTML will mean that anybody can see it?

[the182guy]

Another way of doing it similar to the <iframe> method is to use a <meta> refresh tag, same thing applies put the link in the HTML and you can start the download automatically after a certain time. Examples of this are download.com and filehippo.com

 

<meta http-equiv="refresh" content="2;url=http://example.com/file.exe" />

 

Note the content="2 which means 2 seconds.

 

By the way, using readfile() and header() to hide the real filename is not enough to secure a sensitive download from unauthorised access. If the filename and location was known then nothing is stopping anyone typing it into their browser and obtaining the file.

 

The source file preferably needs to be outside of the public httpdocs, or a htaccess is used to forbid access to the source directory.

 

If readfile() is the extent of your security of downloads then perhaps this is contributive to the mass of Warez that is available on the Internet.

[TeddyKiller]

Is that possible without revealing the .exe location on the server?

ummm

Another way of doing it similar to the <iframe> method is to use a <meta> refresh tag

 

the182guy, Why are you providing scripts that..

for 1- aren't PHP and this is a PHP related topic.

for 2- displaying the source code in which EchoFool stated that he didn't want to reveal the .exe location.

 

Also.. I'm also pretty adamant that EchoFool wasn't looking for a sophisticated script to completely hide the location.

Correct me if I'm wrong, but only a few people may actually get into the PHP file source code and even if they could do that.. I'm sure they'll find a way to access forbidden file areas. So basically.. keep it sweet with the PHP code to rule out most peoples failed attempts at getting the file location.

[the182guy]

the182guy, Why are you providing scripts that..

for 1- aren't PHP and this is a PHP related topic.

 

Because it answers part of the OP's question. Part of the question is how to automatically start a HTTP download without the user clicking a link. The HTTP protocol and HTML are big parts of developing web applications using PHP. Are you saying there should be no posts relating to HTML whatsoever here?

 

for 2- displaying the source code in which EchoFool stated that he didn't want to reveal the .exe location.

 

Yes, securing the download, and starting the download without the user clicking a link are two very different things.

 

Also.. I'm also pretty adamant that EchoFool wasn't looking for a sophisticated script to completely hide the location.

Correct me if I'm wrong, but only a few people may actually get into the PHP file source code and even if they could do that.. I'm sure they'll find a way to access forbidden file areas. So basically.. keep it sweet with the PHP code to rule out most peoples failed attempts at getting the file location.

 

I'm not sure what you have in mind here. Usually the source filename of the download is stored in a database, not hard coded directly into the PHP script as you suggest.

 

My post about download security was in response to ignace who started a discussion about security of the download by saying my comments about automatically starting the download were not secure. As I said, securing the download is a whole different kettle of fish to starting it automatically.

 

Also, I think ignace was talking about protected software, such as paid software. If this is the case then all known methods of security should be considered, to say "lets just basically rule out most attempts" is a very relaxed  and somewhat alarming way of looking at it.

 

I'm not sure.. but maybe you can include the file name.

eg: include("file.exe");

 

The above won't work and you even said that you have no idea if it would work, just a pure guess. I can tell you that including an exe within a PHP script will most certainly not have the desired effect that OP is looking for.

[EchoFool]

Correct the iframe and meta tags are useless in my situation as u can see it in page source.

 

 

I was hopeing a html page would be "click here to download" but most just directly link to the .exe which gives it away so i want it to take user to a php page that will start the download from PHP thus hiding the .exe location. Any idea that can give away its location in page source is completely not helpful for my situation

 

 

[TeddyKiller]

we use readfile & header

 

Try them methods. As they are PHP and won't display the file location. - Unfortunately I don't know anything abotu them.

[the182guy]

Correct the iframe and meta tags are useless in my situation as u can see it in page source.

 

Actually that is not correct, if it were then download.com, filehippo and many others would all have a major security hole in their systems.

 

What you need to do is setup your PHP script to execute when the download is requested, e.g. from the meta tag, then have the script check that the user has authorisation to access the download before allowing it.

[EchoFool]

But the meta tag is loaded in page source  the iframes one ive seen first hand in page source so i know the iframe one is not helpful in this case. I aint seen a meta tag example but i know meta tags are html source not server side

[the182guy]

But the meta tag is loaded in page source  the iframes one ive seen first hand in page source so i know the iframe one is not helpful in this case. I aint seen a meta tag example but i know meta tags are html source not server side

 

Here's an example of how download.com do it with the meta tag:

 

<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://software-files-l.cnet.com/s/software/11/34/59/25/avira_antivir_personal_en.exe?e=1270441261&h=122926026a633d935ac7c1b42f676b02&lop=link&ptype=1901&ontid=2239&siteId=4&edId=3&spi=a0d0dd722d23b2d5964e7dafc5ea841f&pid=11345925&psid=10322935&fileName=avira_antivir_personal_en.exe"/>

 

As you can there there are various IDs or codes that are passed in with the download link. When executed the server side script will check if the current user has authorisation to access that download before allowing it. This stops anybody just using the filename to access the download freely. If the user has authorisation then the script will do something similar to the functions that ignace suggested for example header() to set the content-type to the files type, then readfile() - to output the file contents.

[TeddyKiller]

If the user has authorisation then the script will do something similar to the functions that ignace suggested for example header() to set the content-type to the files type, then readfile() - to output the file contents.

 

Then why are you providing html scripts to download a file when clearly EchoFool isn't asking for a script to go to a download page?

[EchoFool]

http://software-files-l.cnet.com/s/software/11/34/59/25/avira_antivir_personal_en.exe

 

I found the download location instantly.. how did that help mask exactly?

 

That would be quite a give away :S ?

[TeddyKiller]

http://software-files-l.cnet.com/s/software/11/34/59/25/avira_antivir_personal_en.exe

 

I found the download location instantly.. how did that help mask exactly?

 

What he actually meant was, if you go to that link.. you can't download. As there are no ID's. Though even so.. the actual URL that he gave was..

http://software-files-l.cnet.com/s/software/11/34/59/25/avira_antivir_personal_en.exe?e=1270441261&h=122926026a633d935ac7c1b42f676b02&lop=link&ptype=1901&ontid=2239&siteId=4&edId=3&spi=a0d0dd722d23b2d5964e7dafc5ea841f&pid=11345925&psid=10322935&fileName=avira_antivir_personal_en.exe

 

Though that still allows you to download, and that doesn't display the actual .exe location. Infact, its the link you noted, but you can't access it. So in a way.. it's ideal if your not logged in, unless getting the link from another website .. you wont be able to access the download. Although.. if you were able to get the link from another website- then it's not protected.

 

What I have just thought, doing a similar method to that, using meta tags, or whatever you preferred... having ID's in the URL, BUT on the page checking for the $_GET id's against the $_SESSION id's, which is what that link given doesn't do, causing it more insecure.

 

Though even still, you'll need either the header() or readfile() to actually start the download. Though that makes it secure, not only could they get your URL- They won't be able to access it very easy

 

So.. topic still remains, but you have something to fiddle about with though!

I think the link you gave EchoFool, was a fake Link to the file. The actual file is on the end of the URL above, (fileName=blah).

I could be wrong though.

 

I'm not entirely sure on the topic, but even so.. I'm sure it's possible to make what they did, but more secure so you wont have to worry about people stealing the URL of the .exe as they wont get very far.

[ignace]

Also, I think ignace was talking about protected software, such as paid software.

 

I indeed did as the OP mentioned he didn't wanted the user to know the exact location of the script.

 

If this is the case then all known methods of security should be considered, to say "lets just basically rule out most attempts" is a very relaxed  and somewhat alarming way of looking at it.

 

Indeed it is, but some (sometimes even large) companies apply this logic.

 

Actually that is not correct, if it were then download.com, filehippo and many others would all have a major security hole in their systems.

 

A controlled security hole more likely as they use the special ID's to control wether or not the user is allowed to download.

 

I found the download location instantly.. how did that help mask exactly?

 

No. You didn't the script refuses you the download.

 

 

 

I owe you an apology the182guy if you had mentioned the ID's I would have not responded like that.

[TeddyKiller]

Ignace, you can still download, with the ID's in there though. So.. how is that making it secure really?

[ignace]

Ignace, you can still download, with the ID's in there though. So.. how is that making it secure really?

 

1) the ID's expire (they are not PK)

2) the actual filename and it's location remains hidden (the actual file does not have avira_antivir_personal_en.exe as a name rather something like QTRJNQYUijqp+YTUQ9QJytQ through headers it's accomplished to show up the file as avira_antivir_personal_en.exe)