[SOLVED] Creating Temporary Download Links

[jonoc33]

Not sure if you're able to do it in PHP, but how exactly would you create temporary download links which expire after a certain time?

I don't exactly want to fork out $127 to get the script that does this..'

 

I've looked on the net and found this:

 

.htaccess:

<Files *.rar>

Order Deny, Allow

Deny from All

</Files>

 

If I have that, what PHP script would download the file ignoring that .htaccess?

[p2grace]

What I do for this is create a secured link (i.e www.domain.com/?file=sdfsf432efk23j42kllke) that is unique to the downloader and expires after a given period of time.  When clicking on the link, the system checks to see if it has expired, and if it hasn't it does a header redirect based off of that link to the file.  That way the user never sees where it's being downloaded from.

 

Note: In order for this to work you can't use files that browsers can open inherently (i.e. pdf or doc), the browser must prompt the user to open/save the file.  You can still use those files but you need to setup special scripts to handle them so the browser won't try and open it automatically.

[jonoc33]

I understand what you're saying, but what my question is is how to make that secured link and how it expires.

[cooldude832]

temporary file downloads are best handled this way

 

Person A triggers something to activate a download

Server queries MySQL database for that files bianries (In a blob field)

Server then make a document with the headers reflective of that file type and set them to initialize download (See the header page on php.net) the content is then streamed.

 

The file never truly exist more than at the time of download so it is 100% controlled in php so you can limit it based on a session being set or payment or something else.

[Hypnos]

Using header() will not secure the location of the download. People will still be able to see the location of the file and hotlink to it.

 

For what you want, putting the file in a directory that isn't public, and piping the entire file through a PHP script is best.

 

http://us3.php.net/readfile

[cooldude832]

Using header() will not secure the location of the download. People will still be able to see the location of the file and hotlink to it.

 

For what you want, putting the file in a directory that isn't public, and piping the entire file through a PHP script is best.

 

http://us3.php.net/readfile

 

Of course not.  Its how you allow access to that, you use logic like

<?php
if($_SESSION['allow_download'] ==  "yes"){
//Set headers and query for file
}
else{
echo "You aren't allowed to download that file!";
}
?>

 

Headers are used to dictate the download stream as most people won't realize you need to set headers for a download.

[Hypnos]

I was talking about p2grace's mention of using header redirects.

[jonoc33]

Don't worry about it, i've worked it out.

Basically, i've made it so it accesses the file through md5. It then checks through a session if you are authorized to download it. If not, it redirects you away. It hides the link of the file through the md5 sum, so it is quite safe.

 

Thanks for the idea guys.

[cooldude832]

not a very smart way as md5 has been proven crackable, the point is to secure inside the file they access, not the path to it.

[CtrlAltDel]

$127  wow,

i use this script it does all that i need and more, have a look here, its £30 ($60)

http://scripts.syndikut.org/php_quick_download_v3.html

 

P.S. I am not associated with them at all, except for being a customer