Jump to content

Secure File Download

bob_the _builder

By bob_the _builder
in PHP Coding Help

 Share

Recommended Posts

coded4u Newbie

coded4u

Posted
Posted (edited)

Is this a one time download or would you like the user to be able to access the download again?

I'm working on something the same apart from my downloads are going to be free.

I'm going to allow the user to download it once and then stop them getting access to the download.

Edited by coded4u
Link to comment
Share on other sites
coded4u Newbie

coded4u

Posted
Posted

Have you set anything up for the payment side of things? If not then i think you're getting ahead of yourself a little lol. Plan out how you're going to process the payment, then you'll know how to deal with giving them access to the file if the transaction has been completed.

Link to comment
Share on other sites
coded4u Newbie

coded4u

Posted
Posted

I have a way of hiding the path of a download, but not sure how you will stop them from copy/paste to a friend for them to get access. I'm making the user enter their Email address & the confirmation code. (Before downloading they enter a few details and it sends them a email) Then it will check the database for their details and on the database i have the path saved to the .zip. Another php file headers them to the .zip so they don't move off that page.

But sorry i can't help you out on this. I should looking to how to use buy it now on paypal myself. Wish you all the best.

Link to comment
Share on other sites
Zane Prolific Member

Zane

Posted
Posted

I have never done anything like this before, but I am going to try to explain the logic I would use if I were in your situation.

 

Assuming you already have payment notifications set up so you can code around a successful transaction, I would have all of your files stored in a private directory outside of public_html and out of the webs reach. I would also have another private folder to which you would store copies of these files.

 

Once a user pays, the file should be copied to the other folder and given an md5 encrypted filename for a bit of obscurity. But like all the good books tell you, Obscurity is not security. So you will indeed need a database for this to keep up with the timestamps as well as the number of times it is downloaded .. and the user who is downloading it. You can do all this using a php download.php script to fetch the file from the other folder without the user ever knowing its whereabouts.

 

Also, it doesnt hurt to Google a bit ;D

http://stackoverflow.com/questions/10834196/secure-files-for-download

Link to comment
Share on other sites
bob_the _builder Member

bob_the _builder

Posted
  • Author
Posted

Yea I have googled it, hence my asking if that is the best option.. Was just after some opinions of other as to the best way.. whether I could just have a folder in the public directory with maybe an index page to hide the contents and download.php script from there..

 

I have been playing with a script, but it keeps sayng file doesnt exist even tho I know it does.. Wondering if the folder I am trying to use cant be accessed without a password.. The folder I am trying to access is in the Root Directory apposed to WWW Directory

Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

Store the files in a folder outside of the web root and require the user to access them via a gateway script (ie, download.php or whatever). You can either pass an ID (my preferred) or a filename to the download script so that it knows which file to server and then just have it set appropriate headers and send the file contents.

 

Depending on your requirements you can count # of downloads, times of downloads, success/failure status, etc this way. You could make the URL look pretty using some URL rewriting if desired (ie link to /downloads/setup.exe and rewrite it on the server to /download.php?file=setup.exe)

Link to comment
Share on other sites
bob_the _builder Member

bob_the _builder

Posted
  • Author
Posted (edited)

Here is what I am trying to make work.. But get responce 'Requested file does not exist' When you say ouside web root you mean in Root Directory?

 

I know the $hiddenPath exist as I have connected via ftp and uploaded a few files..

 

// Path to downloadable files
$hiddenPath = "home/####/files/";
// Variables
if (!empty($_GET['file'])){
$file = str_replace('%20', ' ', $_GET['file']);
$category = (!empty($_GET['category'])) ? $_GET['category'] . '/' : '';
}
$file_real = $hiddenPath . $category . $file;
$ip = $_SERVER['REMOTE_ADDR'];
// Check to see if the download script was called
if (basename($_SERVER['PHP_SELF']) == 'getfile.php'){
if ($_SERVER['QUERY_STRING'] != NULL){
// Hack attempt check
if ((substr($file, 0, 1) == '.') || (strpos($file, '..') > 0) || (substr($file, 0, 1) == '/') || (strpos($file, '/') > 0))
{
// Display hack attempt error
echo("Hack attempt detected!");
die();
}
// If requested file exists
if (file_exists($file_real)){
// Get extension of requested file
$extension = strtolower(substr(strrchr($file, "."), 1));
// Determine correct MIME type
switch($extension){
case "png": $type = "video/x-ms-asf"; break;
case "avi": $type = "video/x-msvideo"; break;
case "jpg": $type = "application/octet-stream"; break;
case "jpeg": $type = "video/quicktime"; break;
case "mp3": $type = "audio/mpeg"; break;
case "mpg": $type = "video/mpeg"; break;
case "gif": $type = "video/mpeg"; break;
case "rar": $type = "encoding/x-compress"; break;
case "txt": $type = "text/plain"; break;
case "wav": $type = "audio/wav"; break;
case "pdf": $type = "text/plain"; break;
case "doc": $type = "audio/wav"; break;
case "jpeg": $type = "text/plain"; break;
case "bmp": $type = "audio/wav"; break;
case "wma": $type = "audio/x-ms-wma"; break;
case "wmv": $type = "video/x-ms-wmv"; break;
case "zip": $type = "application/x-zip-compressed"; break;
default: $type = "application/force-download"; break;
}
// Fix IE bug
$header_file = (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) ? preg_replace('/\./', '%2e', $file, substr_count($file, '.') - 1) : $file;
// Prepare headers
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public", false);
header("Content-Description: File Transfer");
header("Content-Type: " . $type);
header("Accept-Ranges: bytes");
header("Content-Disposition: attachment; filename=\"" . $header_file . "\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($file_real));
// Send file for download
if ($stream = fopen($file_real, 'rb')){
while(!feof($stream) && connection_status() == 0){
//reset time limit for big files
set_time_limit(0);
print(fread($stream,1024*);
flush();
}
fclose($stream);
}
}else{
// Requested file does not exist (File not found)
echo("Requested file does not exist");
die();
}
}
}

Edited by bob_the _builder
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.