Page 1 of 1

[SOLVED] code initiate download from server stop hotlinking

Posted: Thu Jan 08, 2004 11:05 pm
by vientorio
Hello there,
We have a problem with one of the mirrors we host from New Zealand. Its a mirror site that gets reffered to from the main host site overseas by calling dl.php from the root of the mirror site. This dl.php grabs the file asked for and directs the appropriate file to the client browser.

The problem is hotlinking theft is occuring from another webmaster somewhere in the world. This steals the files and steals bandwidth. The web server is IIS5, with php ver 4.3.4.

Currently the PHP file gets the url to post from a little text document along with the filename to append. the dl.php code follows:

Code: Select all

<?php
print("<html>
<head>
'<script type='text/javascript'>window.open('http://gtcs.net.nz/chge/popup.htm', '', 'left=0, top=0, width=10, height=5, resizable=no, menubar=no, toolbar=no, location=no, status=no behind=yes');</script>';
<TITLE>Downloading...</TITLE>
<style type="text/css">
<!--
     A:link {text-decoration: none;}
     A:visited {text-decoration: none;}
     A:hover {text-decoration: none;}
a:hover{color:red}
-->
</style>

</head>

<body bgcolor="#004080" link="#000080" vlink="#000080" alink="#800000" topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0">

<div align="center">
  <center>
  <table border="0" width="100%" cellspacing="0" cellpadding="0">
    <tr>
      <td width="100%" height="73"><p align="center"><a href="http://www.gameburnworld.com"><img border="0" src="http://www.gameburnworld.com/game_header_1.jpg" width="165" height="55"><img border="0" src="http://www.gameburnworld.com/game_header_2.jpg" width="165" height="55"><img border="0" src="http://www.gameburnworld.com/game_header_3.jpg" width="197" height="55"></a></td>
    </tr>
    <tr>
      <td width="100%"><p align="center"><!--Insert Banner Here--!></td>
    </tr>
    <tr>
      <td width="100%"><font color="#004080">|</font></td>
    </tr>
  </table>
  </center>
</div>

<div align="center"><center><table border="1" width="100%" bgcolor="#C0C0C0" cellspacing="0" cellpadding="0" bordercolor="#808080">
  <tr>
    <td width="100%">
<hr align="center">");

$display_template = "<div align="center">
  <center>
  <table border="0" width="25%" cellspacing="0" cellpadding="0">
    <tr>
      <td width="100%"><p align="center"><font face="Tahoma" size="2" color="#000080"><b><a href='<URL>'target="_blank"</b></font><font face="Tahoma" size="2"><b><MIRROR></a></b></font></td>
    </tr>
    <tr>
      <td width="100%">
        <p align="center"><font face="Tahoma" size="2" color="#000000">(Opens In
        A New Window)</font></td>
    </tr>
  </table>
  </center>
</div>";

$servers = file ('servers.txt');
for ($i = 0; $i < count ($servers); $i++)

{
  $sarr = explode ('::', $servers[$i]);
  $sarr[2] = str_replace ('<FILENAME>', $_GET['file'], $sarr[2]);
  $dtmp = str_replace ('<URL>', $sarr[2], $display_template);
  $dtmp = str_replace ('<MIRROR>', $sarr[1], $dtmp);
  $dtmp = str_replace ('<LOCATION>', $sarr[0], $dtmp);
  $dtmp = str_replace ('<COUNTER>', $i + 1, $dtmp);
  echo $dtmp;
}

print("<p align="center"><font face="Tahoma" size="2"><font color="#FFFF00">Mirror
Provided By:</font> <b><a href="http://www.gtcs.net.nz" target="_blank">GTCS</a></b></font></p> <p align="center"><a href="http://www.gtcs.net.nz" target="_blank"><img border="0" src="http://bgw.gtcs.net.nz/logo1.gif" alt="GTCS New Zealand! Click Now!" width="200" height="100"></a></p>

<hr align="center">

<p align="center"><font face="Tahoma" size="2" color="#800000"><b>* While you
are downloading, please take the time to visit the download mirror sponsor,
their links and banners are on this page.</b></font></p>

<hr align="center">

</td>
  </tr>
</table></center>
</div>

<div align="center">
  <center>
  <table border="0" width="100%" cellspacing="0" cellpadding="0">
    <tr>
      <td width="100%"><font color="#004080">|</font></td>
    </tr>
  </table>
  </center>
</div>
<div align="center">
  <center>
  <table border="1" width="100%" bordercolor="#808080" cellspacing="0" cellpadding="0" bgcolor="#C0C0C0" height="22">
    <tr>
      <td width="100%">
        <p align="center"><font face="Arial" size="1">© 2004 <a href="http://www.gameburnworld.com"><u>GameBurnWorld</u></a>
        ® All Rights Reserved | <a href="http://www.gameburnworld.com/termsofuse.htm"><u>Terms
        Of Use</u></a> | <a href="http://www.gameburnworld.com/privacypolicy.htm"><u>Privacy
        Policy</u></a> | <a href="http://www.gameburnworld.com/contact.htm"><u>Contact
        Us</u></a> | <a href="http://www.gameburnworld.com/advertise.htm"><u>Advertise
        With Us</u></a> |</font></td>
    </tr>
  </table>
  </center>
</div>

</body>

</html>");

?>
the server.txt file is one line:

Code: Select all

::Click To Download File::http://bgw.gtcs.net.nz/files/&lt;FILENAME&gt;
What we need is to get the files from outside the wwwroot folder therefore making them totally unavailable to URL linking.

Any help would be greatly appreciated

Regards,
Geoff

Posted: Fri Jan 09, 2004 12:17 am
by Bennettman
As far as I know, you'd have to do a server connect (possibly using fsockopen), in order to access the files from outside the public folder of the site. From there you'd load the contents of the file and produce a suitable set of headers for a download (see the header function), using the contents of the file as the download. The end result for the user would be a URL such as "download.php?file=some_file.zip".

Also, if you're going to use vast amounts of HTML in print statements like that without using arrays or functions inside it, use this format instead:

Code: Select all

print <<<somewordyouchoose
<html>
<head>

etc etc 

Downloading from server $server (this is using the variables btw)

etc etc

</body>
</html>
somewordyouchoose;
Obviously, replace "somewordyouchoose" with any word you like (I use "HTML", and make sure there's three < signs, nothing after the word on the first line, and that the last line has the word and the semicolon on their own. It's very useful to avoid having to put escaping slashes in at speech marks. Also works when setting variables, replace the opening speechmark with "<<<whatever" and the closing mark with "whatever;" on their own lines.

Posted: Fri Jan 09, 2004 12:58 am
by vientorio
Thankyou for your response.
yes i agree, the html code could be scripted better but i dont own dl.php, so i cannot change it drastically, only enought to secure these files from being hot linked. Is there any other way to secure these files?