download file

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
dethron
Forum Contributor
Posts: 370
Joined: Sat Apr 27, 2002 11:39 am
Location: Istanbul

download file

Post by dethron »

Hi folks, i am listing my constraints and will be glad with your comments....

- there is a binary file whose address will be sent to users' email who register their addresses.
- if someone doesnt want to give his email address then he should not be allowed to download the file.
- after downloading the file the sent address for the file should be useless.


What i already did :

I am sending a hash value as a parameter, and i am inserting same value with the email address of the user.

A download page checks the parameter from db and updates its value (ISUSED) to TRUE

Then redirect the user to the file's original address.

What i havent accomlished yet :

If someone guesses my correct path for the file ( the one the file is originally stored) then he can download the file as much as he wants.

If I am advised to put the file in a protected directory, then my redirection wont work either....


I assume you understand my problem, :))
Thank you for reading....

dethron out.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

You can always create a password protected page.

How long of a hash are you using? what type of hash?
User avatar
dethron
Forum Contributor
Posts: 370
Joined: Sat Apr 27, 2002 11:39 am
Location: Istanbul

Post by dethron »

hawleyjr wrote:You can always create a password protected page.
Yes. :roll: :?:

hawleyjr wrote:How long of a hash are you using? what type of hash?
I used md5. :roll:
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

There are 340282366920938463463374607431768211456 possible checksums
http://www.miketaylor.org.uk/tech/law.html

There are things you can do if you don't want to do a password page

use sha1 or sha256

Use two hashes instead of one in your URL (WIll make the URL much longer)

secure your files using file permissions.
User avatar
dethron
Forum Contributor
Posts: 370
Joined: Sat Apr 27, 2002 11:39 am
Location: Istanbul

Post by dethron »

Dude, think twice... :)

How would it be possible to download for a user if you protected file by putting it into a password protected directory?

I do not need to lengthen the address, this is nonsense.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

dethron wrote:How would it be possible to download for a user if you protected file by putting it into a password protected directory?
It prompts the user for a password, they enter the password, and then the download begins. Its easy.
dethron wrote:I do not need to lengthen the address, this is nonsense.
The point was to offer two hashes - one for the file, one for the user. If both arent true (and activated), then they couldnt download the file (because one of the two hashes would not work).

I think you are ignoring a valuable alternative. Make each "file" available under a directory. ie, http://www.example.com/file1.php

Then make each user access that using their unique code. ie, http://example.com/file1.php?user=bob

Finally, have the script simply check if the user has access (select users from authorized where user=bob and file=file1), and if he does, then serve the content. Once you've served the content, perhaps after 15 minutes, have a cronjob that unsets that content as available to that user in the db.

Simple, easy, scalable, secure.
User avatar
dethron
Forum Contributor
Posts: 370
Joined: Sat Apr 27, 2002 11:39 am
Location: Istanbul

Post by dethron »

Srry guys, but i really dont know what you are talking about!
Probably you got the all scenario wrong.

Thank you anyway.

Good Luck.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

What type of file are you allowing for download? You could possibly postback using the same page as you do for confirmation instead of redirecting. That way you can use an include inside of an if(isset()) type thing. On the first load the user only sees a button if their information checks out (otherwise they see an error message). After they post the button the file can be allowed for download by using an include statement inside of a validation $_POST check. After the first time they visit and post the confirmation the include will no longer work.

Just a thought. There are, of course, secondary measures to take here to prevent the user from guessing the URL of the file. Maybe try using mod_rewrite and set up a rule to allow for autogenerated directory names that point to a folder on top of the root folder.

Hope it helps.
Post Reply