FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Protect Downloads??





ncwdavid
Hey,
I want to know how to protect downloads. On my site I have phpBB sessions running all around it but that would matter if all you had to do was guess an url to a certain .zip file and download something that only members should be able to download. How can I let only members download something and they must be logged in?
TomS
The best solution is htaccess.
It protects the whole directory. No file can be opened or downloaded without entering the correct username and password. Once one is logged in he can access everything in this direcotry until the browserwindow is closed.
Sorry, I don't have links to engnlish-speaking tutorials about htaccessprotection. But just google ".htaccess"
If you have any problems just come back here and ask.
ncwdavid
TomS wrote:
The best solution is htaccess.
It protects the whole directory. No file can be opened or downloaded without entering the correct username and password. Once one is logged in he can access everything in this direcotry until the browserwindow is closed.
Sorry, I don't have links to engnlish-speaking tutorials about htaccessprotection. But just google ".htaccess"
If you have any problems just come back here and ask.


But what about on some sites you see http://www.domain.com/download_id=45 and from there it just lets you download the .zip file without entering the url to the .zip file in the address bar?
TomS
I don't know how this works. Something with a form that submits postdata, I think. Some filehosters like Rapidshare use this. But I have no clue, how this works. Also I'm sure, if you play around a bit, you can find out, how this system works, and how to get the files you want.
hexkid
http://www.example.com/download.php?id=42

Code:
<?php
session_start();
if (!isset($_SESSION['userid'])) {
  // invalid user
  header('Location: /login.php');
  exit;
}

if (user_can_download($_SESSION['userid'], $_GET['id'])) {
  // provide file to user
} else {
  exit('You cannot download this file.');
}


Of course, this assumes your users login somewhere and that sets the session variables.
ncwdavid
hexkid wrote:
http://www.example.com/download.php?id=42

Code:
<?php
session_start();
if (!isset($_SESSION['userid'])) {
  // invalid user
  header('Location: /login.php');
  exit;
}

if (user_can_download($_SESSION['userid'], $_GET['id'])) {
  // provide file to user
} else {
  exit('You cannot download this file.');
}


Of course, this assumes your users login somewhere and that sets the session variables.


where it says provide file to user thats just header() to the file location?
hexkid
ncwdavid wrote:
where it says provide file to user thats just header() to the file location?

No. You want to control the download from PHP itself, otherwise anybody could go to the proper URL and download it.

That would go something like this
Code:
if (user_can_download($_SESSION['userid'], $_GET['id'])) {
  // provide file to user
  // send proper headers
  header('Content-Type: application/binary; filename="fortytwo.zip"');
  readfile(realname($_GET['id']));
  // you might want to increase some counter on the database too
}
ncwdavid
hexkid wrote:
ncwdavid wrote:
where it says provide file to user thats just header() to the file location?

No. You want to control the download from PHP itself, otherwise anybody could go to the proper URL and download it.

That would go something like this
Code:
if (user_can_download($_SESSION['userid'], $_GET['id'])) {
  // provide file to user
  // send proper headers
  header('Content-Type: application/binary; filename="fortytwo.zip"');
  readfile(realname($_GET['id']));
  // you might want to increase some counter on the database too
}

Ok thanks. Ill try it later.
TomS
And you are sure, that I can't download the file, if I could guess the path and filename?
hexkid
Suppose I have these files
Code:
/home/hexkid/domains/hexkid.frih.net/public_html/download.php
/home/hexkid/domains/hexkid.frih.net/files/fortytwo.zip


Further suppose that download.php does
Code:
readfile('/home/hexkid/domains/hexkid.frih.net/files/fortytwo.zip');


There is absolutely no way for you to reach fortytwo.zip except from the php script.
TomS
Ok. That sounds good. Thanks hexkid, you also helped me. This is quite more comfortable than .htaccess.
The-Master
If you don't want any old person to download a file just by guessing the url could you not just make the file names very long and random. That is what some sites do to try and stop you doing this. Something like:

www.yourfile/ridfjg4klsk6jvkjkd4jlsifjleisd42fvhvojw15.zip

the .htacess method is also very easy.
Related topics
.htaccess tutorial
[tutor] How to protect images without htaccess using PHP
Freeware downloads
Unlimited Downloads - Templates, Scripts, eBooks
Windows Vista Official Thread
Spyware Doctor 3.2
Online file storage
Protect your PC
Opera Reaches One Million Downloads in Two Days
skyy.0nyx.com | Dashboard | Quartz | Downloads
Protect your pc from new virus programs..
5000 FREE SOFTWARE downloads for Windows XP from microsoft
How to Protect ur windows System
Norton Antivirus™ 2006
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.