Jump to content

Recommended Posts

Hey,

 

Whats the best method when wanting to sell digital files online.. Storing the files outside of public_html folder and using header() to access the files?

 

Can files be ulpoaded to a folder outside the public_html using just a general file upload form?

 

 

Thanks

Link to comment
https://forums.phpfreaks.com/topic/268928-secure-file-download/
Share on other sites

Is this a one time download or would you like the user to be able to access the download again?

I'm working on something the same apart from my downloads are going to be free.

I'm going to allow the user to download it once and then stop them getting access to the download.

Edited by coded4u

Have you set anything up for the payment side of things? If not then i think you're getting ahead of yourself a little lol. Plan out how you're going to process the payment, then you'll know how to deal with giving them access to the file if the transaction has been completed.

Thats not where the problem is.. I am wanting to know the best way to secure the files so they cant just be accessed by anyone.. so posibally by storing the files outside the public folder and accessing them using headers, file path hidden etc

I have a way of hiding the path of a download, but not sure how you will stop them from copy/paste to a friend for them to get access. I'm making the user enter their Email address & the confirmation code. (Before downloading they enter a few details and it sends them a email) Then it will check the database for their details and on the database i have the path saved to the .zip. Another php file headers them to the .zip so they don't move off that page.

But sorry i can't help you out on this. I should looking to how to use buy it now on paypal myself. Wish you all the best.

I have never done anything like this before, but I am going to try to explain the logic I would use if I were in your situation.

 

Assuming you already have payment notifications set up so you can code around a successful transaction, I would have all of your files stored in a private directory outside of public_html and out of the webs reach. I would also have another private folder to which you would store copies of these files.

 

Once a user pays, the file should be copied to the other folder and given an md5 encrypted filename for a bit of obscurity. But like all the good books tell you, Obscurity is not security. So you will indeed need a database for this to keep up with the timestamps as well as the number of times it is downloaded .. and the user who is downloading it. You can do all this using a php download.php script to fetch the file from the other folder without the user ever knowing its whereabouts.

 

Also, it doesnt hurt to Google a bit ;D

http://stackoverflow.com/questions/10834196/secure-files-for-download

Yea I have googled it, hence my asking if that is the best option.. Was just after some opinions of other as to the best way.. whether I could just have a folder in the public directory with maybe an index page to hide the contents and download.php script from there..

 

I have been playing with a script, but it keeps sayng file doesnt exist even tho I know it does.. Wondering if the folder I am trying to use cant be accessed without a password.. The folder I am trying to access is in the Root Directory apposed to WWW Directory

Store the files in a folder outside of the web root and require the user to access them via a gateway script (ie, download.php or whatever). You can either pass an ID (my preferred) or a filename to the download script so that it knows which file to server and then just have it set appropriate headers and send the file contents.

 

Depending on your requirements you can count # of downloads, times of downloads, success/failure status, etc this way. You could make the URL look pretty using some URL rewriting if desired (ie link to /downloads/setup.exe and rewrite it on the server to /download.php?file=setup.exe)

Here is what I am trying to make work.. But get responce 'Requested file does not exist' When you say ouside web root you mean in Root Directory?

 

I know the $hiddenPath exist as I have connected via ftp and uploaded a few files..

 

// Path to downloadable files
$hiddenPath = "home/####/files/";
// Variables
if (!empty($_GET['file'])){
$file = str_replace('%20', ' ', $_GET['file']);
$category = (!empty($_GET['category'])) ? $_GET['category'] . '/' : '';
}
$file_real = $hiddenPath . $category . $file;
$ip = $_SERVER['REMOTE_ADDR'];
// Check to see if the download script was called
if (basename($_SERVER['PHP_SELF']) == 'getfile.php'){
if ($_SERVER['QUERY_STRING'] != NULL){
// Hack attempt check
if ((substr($file, 0, 1) == '.') || (strpos($file, '..') > 0) || (substr($file, 0, 1) == '/') || (strpos($file, '/') > 0))
{
// Display hack attempt error
echo("Hack attempt detected!");
die();
}
// If requested file exists
if (file_exists($file_real)){
// Get extension of requested file
$extension = strtolower(substr(strrchr($file, "."), 1));
// Determine correct MIME type
switch($extension){
case "png": $type = "video/x-ms-asf"; break;
case "avi": $type = "video/x-msvideo"; break;
case "jpg": $type = "application/octet-stream"; break;
case "jpeg": $type = "video/quicktime"; break;
case "mp3": $type = "audio/mpeg"; break;
case "mpg": $type = "video/mpeg"; break;
case "gif": $type = "video/mpeg"; break;
case "rar": $type = "encoding/x-compress"; break;
case "txt": $type = "text/plain"; break;
case "wav": $type = "audio/wav"; break;
case "pdf": $type = "text/plain"; break;
case "doc": $type = "audio/wav"; break;
case "jpeg": $type = "text/plain"; break;
case "bmp": $type = "audio/wav"; break;
case "wma": $type = "audio/x-ms-wma"; break;
case "wmv": $type = "video/x-ms-wmv"; break;
case "zip": $type = "application/x-zip-compressed"; break;
default: $type = "application/force-download"; break;
}
// Fix IE bug
$header_file = (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) ? preg_replace('/\./', '%2e', $file, substr_count($file, '.') - 1) : $file;
// Prepare headers
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public", false);
header("Content-Description: File Transfer");
header("Content-Type: " . $type);
header("Accept-Ranges: bytes");
header("Content-Disposition: attachment; filename=\"" . $header_file . "\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($file_real));
// Send file for download
if ($stream = fopen($file_real, 'rb')){
while(!feof($stream) && connection_status() == 0){
//reset time limit for big files
set_time_limit(0);
print(fread($stream,1024*);
flush();
}
fclose($stream);
}
}else{
// Requested file does not exist (File not found)
echo("Requested file does not exist");
die();
}
}
}

Edited by bob_the _builder

Since this is indeed in the root directory, you need to prefix the path with a /. That slash symbolizes the root directory.

 

Othrewise it is going to look within the current directory for a directory called home

Edited by Zane
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.