snakehill Posted January 8, 2013 Share Posted January 8, 2013 (edited) I am currently coding a private download system which enables one to download password-protected files from external sites (e.g. MediaFire). The way it's done is that there is a form, the user clicks Submit and the password is posted right on the host's site itself, so that the download is trigged right away. Though the idea seems all fine and it is very easy to do right from the HTML, the problem is that in the HTML you cannot hide hidden fields from a form in the page's source code. Therefore, I would like to have the form post to a PHP first, and this PHP which includes the password then posts it onto let's say MediaFire and fires the download. This way, the password is unseen and kept secret. The download should fire from MediaFire itself, else it uses my site's bandwidth on top of it. The idea summed up: Page with submit button (no hidden field with password) -> post -> PHP file with password -> post -> External site. The POST option (from PHP to the site) is a must for that most of these external sites seem to require it. MediaFire actually uses a post of a form field named downloadp. Is this possible with just PHP? And if so, how? I already got a javascript way of doing it (which can also be launched via PHP but it still required Javascript). Basically, it uses a SESSION from the page with the form, and if this is available, the PHP file will launch another form with the password automatically through Javascript, which triggers the external download. But if Javascript it turned off, this wouldn't work plus that anyone who would like to get to the password, could get there easily that way. Thanks a lot for the help in advance! Much appreciated! Edited January 8, 2013 by snakehill Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 9, 2013 Share Posted January 9, 2013 What you are asking is not possible, unless you pass the file through your server. The client/browser making the http request for the download file must also supply the authentication as part of that http request. Anything thing you do through the client/browser can be seen or captured by the person using that client/browser. The only 'secure' way of doing this, that doesn't expose the actual username/password to a visitor, is if the download site has an API that provides a unique/limited-use access token that you could then output to the client/browser to submit to the download site to provide the authentication. Quote Link to comment Share on other sites More sharing options...
snakehill Posted January 9, 2013 Author Share Posted January 9, 2013 Thanks for the reply! I was doubting there indeed would be a pure PHP way for it. Pity. I suppose I will just hide the password a little bit better through Javascript/PHP then. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 13, 2013 Share Posted January 13, 2013 It's not really possible to hide information that you pass through the client, because all anyone needs to do to get it is to spend a little more time than the amount of time you spent in hiding it. Passing the actual password through the client, will mean that if your 'protected' content is of great enough value, that your password will soon get shared all over the Internet. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.