bob_the _builder Posted September 30, 2012 Share Posted September 30, 2012 Hey, Whats the best method when wanting to sell digital files online.. Storing the files outside of public_html folder and using header() to access the files? Can files be ulpoaded to a folder outside the public_html using just a general file upload form? Thanks Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/ Share on other sites More sharing options...
coded4u Posted September 30, 2012 Share Posted September 30, 2012 (edited) Is this a one time download or would you like the user to be able to access the download again? I'm working on something the same apart from my downloads are going to be free. I'm going to allow the user to download it once and then stop them getting access to the download. Edited September 30, 2012 by coded4u Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381846 Share on other sites More sharing options...
bob_the _builder Posted September 30, 2012 Author Share Posted September 30, 2012 They will need to buy the file before download, then I guess they would need the ability to re download if they lost the file for what ever reason, that will be governed member member accounts.. Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381847 Share on other sites More sharing options...
coded4u Posted September 30, 2012 Share Posted September 30, 2012 Have you set anything up for the payment side of things? If not then i think you're getting ahead of yourself a little lol. Plan out how you're going to process the payment, then you'll know how to deal with giving them access to the file if the transaction has been completed. Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381848 Share on other sites More sharing options...
bob_the _builder Posted September 30, 2012 Author Share Posted September 30, 2012 Payment side is sorted using paypal.. Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381849 Share on other sites More sharing options...
coded4u Posted September 30, 2012 Share Posted September 30, 2012 Rite, well i'm not sure with buy it now payment on paypal as i haven't tried. Can't help you out on this one sorry. Are you wanting the to have access to the download rite after the payment has been made or are you going to do it manually? Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381850 Share on other sites More sharing options...
bob_the _builder Posted September 30, 2012 Author Share Posted September 30, 2012 Thats not where the problem is.. I am wanting to know the best way to secure the files so they cant just be accessed by anyone.. so posibally by storing the files outside the public folder and accessing them using headers, file path hidden etc Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381851 Share on other sites More sharing options...
coded4u Posted September 30, 2012 Share Posted September 30, 2012 I have a way of hiding the path of a download, but not sure how you will stop them from copy/paste to a friend for them to get access. I'm making the user enter their Email address & the confirmation code. (Before downloading they enter a few details and it sends them a email) Then it will check the database for their details and on the database i have the path saved to the .zip. Another php file headers them to the .zip so they don't move off that page. But sorry i can't help you out on this. I should looking to how to use buy it now on paypal myself. Wish you all the best. Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381852 Share on other sites More sharing options...
Zane Posted September 30, 2012 Share Posted September 30, 2012 I have never done anything like this before, but I am going to try to explain the logic I would use if I were in your situation. Assuming you already have payment notifications set up so you can code around a successful transaction, I would have all of your files stored in a private directory outside of public_html and out of the webs reach. I would also have another private folder to which you would store copies of these files. Once a user pays, the file should be copied to the other folder and given an md5 encrypted filename for a bit of obscurity. But like all the good books tell you, Obscurity is not security. So you will indeed need a database for this to keep up with the timestamps as well as the number of times it is downloaded .. and the user who is downloading it. You can do all this using a php download.php script to fetch the file from the other folder without the user ever knowing its whereabouts. Also, it doesnt hurt to Google a bit http://stackoverflow.com/questions/10834196/secure-files-for-download Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381853 Share on other sites More sharing options...
bob_the _builder Posted September 30, 2012 Author Share Posted September 30, 2012 Yea I have googled it, hence my asking if that is the best option.. Was just after some opinions of other as to the best way.. whether I could just have a folder in the public directory with maybe an index page to hide the contents and download.php script from there.. I have been playing with a script, but it keeps sayng file doesnt exist even tho I know it does.. Wondering if the folder I am trying to use cant be accessed without a password.. The folder I am trying to access is in the Root Directory apposed to WWW Directory Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381854 Share on other sites More sharing options...
kicken Posted September 30, 2012 Share Posted September 30, 2012 Store the files in a folder outside of the web root and require the user to access them via a gateway script (ie, download.php or whatever). You can either pass an ID (my preferred) or a filename to the download script so that it knows which file to server and then just have it set appropriate headers and send the file contents. Depending on your requirements you can count # of downloads, times of downloads, success/failure status, etc this way. You could make the URL look pretty using some URL rewriting if desired (ie link to /downloads/setup.exe and rewrite it on the server to /download.php?file=setup.exe) Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381855 Share on other sites More sharing options...
Zane Posted September 30, 2012 Share Posted September 30, 2012 http://www.devshed.com/c/a/PHP/Simple-and-Secure-PHP-Download-Script-with-Limits-Tutorial/ There is another helpful link. Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381856 Share on other sites More sharing options...
bob_the _builder Posted September 30, 2012 Author Share Posted September 30, 2012 (edited) Here is what I am trying to make work.. But get responce 'Requested file does not exist' When you say ouside web root you mean in Root Directory? I know the $hiddenPath exist as I have connected via ftp and uploaded a few files.. // Path to downloadable files $hiddenPath = "home/####/files/"; // Variables if (!empty($_GET['file'])){ $file = str_replace('%20', ' ', $_GET['file']); $category = (!empty($_GET['category'])) ? $_GET['category'] . '/' : ''; } $file_real = $hiddenPath . $category . $file; $ip = $_SERVER['REMOTE_ADDR']; // Check to see if the download script was called if (basename($_SERVER['PHP_SELF']) == 'getfile.php'){ if ($_SERVER['QUERY_STRING'] != NULL){ // Hack attempt check if ((substr($file, 0, 1) == '.') || (strpos($file, '..') > 0) || (substr($file, 0, 1) == '/') || (strpos($file, '/') > 0)) { // Display hack attempt error echo("Hack attempt detected!"); die(); } // If requested file exists if (file_exists($file_real)){ // Get extension of requested file $extension = strtolower(substr(strrchr($file, "."), 1)); // Determine correct MIME type switch($extension){ case "png": $type = "video/x-ms-asf"; break; case "avi": $type = "video/x-msvideo"; break; case "jpg": $type = "application/octet-stream"; break; case "jpeg": $type = "video/quicktime"; break; case "mp3": $type = "audio/mpeg"; break; case "mpg": $type = "video/mpeg"; break; case "gif": $type = "video/mpeg"; break; case "rar": $type = "encoding/x-compress"; break; case "txt": $type = "text/plain"; break; case "wav": $type = "audio/wav"; break; case "pdf": $type = "text/plain"; break; case "doc": $type = "audio/wav"; break; case "jpeg": $type = "text/plain"; break; case "bmp": $type = "audio/wav"; break; case "wma": $type = "audio/x-ms-wma"; break; case "wmv": $type = "video/x-ms-wmv"; break; case "zip": $type = "application/x-zip-compressed"; break; default: $type = "application/force-download"; break; } // Fix IE bug $header_file = (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) ? preg_replace('/\./', '%2e', $file, substr_count($file, '.') - 1) : $file; // Prepare headers header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: public", false); header("Content-Description: File Transfer"); header("Content-Type: " . $type); header("Accept-Ranges: bytes"); header("Content-Disposition: attachment; filename=\"" . $header_file . "\";"); header("Content-Transfer-Encoding: binary"); header("Content-Length: " . filesize($file_real)); // Send file for download if ($stream = fopen($file_real, 'rb')){ while(!feof($stream) && connection_status() == 0){ //reset time limit for big files set_time_limit(0); print(fread($stream,1024*); flush(); } fclose($stream); } }else{ // Requested file does not exist (File not found) echo("Requested file does not exist"); die(); } } } Edited September 30, 2012 by bob_the _builder Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381857 Share on other sites More sharing options...
Zane Posted September 30, 2012 Share Posted September 30, 2012 (edited) Since this is indeed in the root directory, you need to prefix the path with a /. That slash symbolizes the root directory. Othrewise it is going to look within the current directory for a directory called home Edited September 30, 2012 by Zane Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381858 Share on other sites More sharing options...
bob_the _builder Posted September 30, 2012 Author Share Posted September 30, 2012 Ahh yes I tried / and ./ but not ../ which works.. Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381859 Share on other sites More sharing options...
bob_the _builder Posted September 30, 2012 Author Share Posted September 30, 2012 Uploading the files to the directory.. I have them going to a folder in the public directory.. should I shift them after upload or can they be uploaded directly to that location Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381860 Share on other sites More sharing options...
Zane Posted September 30, 2012 Share Posted September 30, 2012 Usisng FTP you should have no problem uploadng to root assuming you have the write permissions. How are you uploading them now? Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381861 Share on other sites More sharing options...
bob_the _builder Posted September 30, 2012 Author Share Posted September 30, 2012 (edited) Via script is the plan.. Already have my cart code sorted, but files are being uploaded to a public folder via the admin area.. Edited September 30, 2012 by bob_the _builder Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381862 Share on other sites More sharing options...
bob_the _builder Posted September 30, 2012 Author Share Posted September 30, 2012 It appears to work just using prefix path ../home/###/files/ Quote Link to comment https://forums.phpfreaks.com/topic/268928-secure-file-download/#findComment-1381865 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.