Jump to content

Recommended Posts

So I need to make a customized CMS-type site (unfortunately, for someone) and I wanted to know if there is a way that I can prevent direct file access to, say, ZIP, JPG, DOC, etc, type files but have a PHP script be able to "get" them (probably by using a MySQL database with the filenames and a unique numerical ID to protect the location of the files).  I'm aware of the HotLink protection offered by most sites, but basically I want a way that so that in a page, a link could be put in line this (to retrieve a file):

 

<a href="getfile.php?fileid=000000">Click here to get the file</a>

 

And whatever file links up with file ID 000000 would be placed somewhere on the site, in a folder such as: /cms/content/documents/test1.doc

 

Any ideas on how to do this?  Basically, I want to prevent hotlinking and also prevent people from seeing where the content is stored (to prevent direct linking from other sites).

If you're storing the file location in the database then all you need to do is query the database to return the filepath that matches the fileid, example code

<?php

$mysqli = new mysqli('localhost', 'user', 'pass', 'database');

if(isset($_GET['fileid']) && ctype_digit($_GET['fileid']))
{
    // get filepath from database
    $stmt = $mysqli->prepare('SELECT filepath FROM files_table WHERE file_id = ?');
    $stmt->bind_param('i', $_GET['fileid']);
    $stmt->execute();

    $stmt->bind_result($filepath);

    $stmt->fetch();

    // output correct file content/mime type
    $finfo = new finfo(FILEINFO_MIME);
    header('Content-Type: ' . $finfo->file($filepath) ); 

    // .. maybe send headers to prevent caching too?

    // output contents of the file
    readfile($filepath);
    exit;
}

// send 404 error invalid request
header("HTTP/1.0 404 Not Found");
exit;

However this still wont prevent hotlinking as they can just link directly to getfile.php?fileid=xxxxx

So, lets say your files are in a directory named foo, then in your .htaccess file:

RewriteEngine On
RewriteBase /

RewriteRule ^(foo) - [F,L]

Requests for files in foo will output a 403 error. PHP scripts will still have access.

Thanks. I think between these two responses, I should get what I'm looking for.  Yes, the user will have the filename itself if they download the file BUT they won't have the full path to the file unles they hack the database I suppose to get the path to the files.  All I need is HTML and PHP files to be able to execute, nothing else.  Everything else should be "locked down" from direct access.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.