Hey,
I want to know how to protect downloads. On my site I have phpBB sessions running all around it but that would matter if all you had to do was guess an url to a certain .zip file and download something that only members should be able to download. How can I let only members download something and they must be logged in?
The best solution is htaccess.
It protects the whole directory. No file can be opened or downloaded without entering the correct username and password. Once one is logged in he can access everything in this direcotry until the browserwindow is closed.
Sorry, I don't have links to engnlish-speaking tutorials about htaccessprotection. But just google ".htaccess"
If you have any problems just come back here and ask.
| TomS wrote: |
The best solution is htaccess.
It protects the whole directory. No file can be opened or downloaded without entering the correct username and password. Once one is logged in he can access everything in this direcotry until the browserwindow is closed.
Sorry, I don't have links to engnlish-speaking tutorials about htaccessprotection. But just google ".htaccess"
If you have any problems just come back here and ask. |
But what about on some sites you see http://www.domain.com/download_id=45 and from there it just lets you download the .zip file without entering the url to the .zip file in the address bar?I don't know how this works. Something with a form that submits postdata, I think. Some filehosters like Rapidshare use this. But I have no clue, how this works. Also I'm sure, if you play around a bit, you can find out, how this system works, and how to get the files you want.
http://www.example.com/download.php?id=42
| Code: |
<?php
session_start();
if (!isset($_SESSION['userid'])) {
// invalid user
header('Location: /login.php');
exit;
}
if (user_can_download($_SESSION['userid'], $_GET['id'])) {
// provide file to user
} else {
exit('You cannot download this file.');
} |
Of course, this assumes your users login somewhere and that sets the session variables. | hexkid wrote: |
http://www.example.com/download.php?id=42
| Code: | <?php
session_start();
if (!isset($_SESSION['userid'])) {
// invalid user
header('Location: /login.php');
exit;
}
if (user_can_download($_SESSION['userid'], $_GET['id'])) {
// provide file to user
} else {
exit('You cannot download this file.');
} |
Of course, this assumes your users login somewhere and that sets the session variables. |
where it says provide file to user thats just header() to the file location? | ncwdavid wrote: |
| where it says provide file to user thats just header() to the file location? |
No. You want to control the download from PHP itself, otherwise anybody could go to the proper URL and download it.
That would go something like this | Code: |
if (user_can_download($_SESSION['userid'], $_GET['id'])) {
// provide file to user
// send proper headers
header('Content-Type: application/binary; filename="fortytwo.zip"');
readfile(realname($_GET['id']));
// you might want to increase some counter on the database too
} |
| hexkid wrote: |
| ncwdavid wrote: | | where it says provide file to user thats just header() to the file location? |
No. You want to control the download from PHP itself, otherwise anybody could go to the proper URL and download it.
That would go something like this | Code: | if (user_can_download($_SESSION['userid'], $_GET['id'])) {
// provide file to user
// send proper headers
header('Content-Type: application/binary; filename="fortytwo.zip"');
readfile(realname($_GET['id']));
// you might want to increase some counter on the database too
} |
|
Ok thanks. Ill try it later.And you are sure, that I can't download the file, if I could guess the path and filename?
Suppose I have these files | Code: |
/home/hexkid/domains/hexkid.frih.net/public_html/download.php
/home/hexkid/domains/hexkid.frih.net/files/fortytwo.zip |
Further suppose that download.php does | Code: |
| readfile('/home/hexkid/domains/hexkid.frih.net/files/fortytwo.zip'); |
There is absolutely no way for you to reach fortytwo.zip except from the php script. Ok. That sounds good. Thanks hexkid, you also helped me. This is quite more comfortable than .htaccess.
If you don't want any old person to download a file just by guessing the url could you not just make the file names very long and random. That is what some sites do to try and stop you doing this. Something like:
www.yourfile/ridfjg4klsk6jvkjkd4jlsifjleisd42fvhvojw15.zip
the .htacess method is also very easy.
