Page 1 of 1
download file
Posted: Fri Dec 09, 2005 4:51 pm
by dethron
Hi folks, i am listing my constraints and will be glad with your comments....
- there is a binary file whose address will be sent to users' email who register their addresses.
- if someone doesnt want to give his email address then he should not be allowed to download the file.
- after downloading the file the sent address for the file should be useless.
What i already did :
I am sending a hash value as a parameter, and i am inserting same value with the email address of the user.
A download page checks the parameter from db and updates its value (ISUSED) to TRUE
Then redirect the user to the file's original address.
What i havent accomlished yet :
If someone guesses my correct path for the file ( the one the file is originally stored) then he can download the file as much as he wants.
If I am advised to put the file in a protected directory, then my redirection wont work either....
I assume you understand my problem,

)
Thank you for reading....
dethron out.
Posted: Fri Dec 09, 2005 4:53 pm
by hawleyjr
You can always create a password protected page.
How long of a hash are you using? what type of hash?
Posted: Fri Dec 09, 2005 5:09 pm
by dethron
hawleyjr wrote:You can always create a password protected page.
Yes.
hawleyjr wrote:How long of a hash are you using? what type of hash?
I used md5.

Posted: Fri Dec 09, 2005 5:19 pm
by hawleyjr
There are 340282366920938463463374607431768211456 possible checksums
http://www.miketaylor.org.uk/tech/law.html
There are things you can do if you don't want to do a password page
use sha1 or sha256
Use two hashes instead of one in your URL (WIll make the URL much longer)
secure your files using file permissions.
Posted: Fri Dec 09, 2005 5:37 pm
by dethron
Dude, think twice...
How would it be possible to download for a user if you protected file by putting it into a password protected directory?
I do not need to lengthen the address, this is nonsense.
Posted: Fri Dec 09, 2005 5:58 pm
by Roja
dethron wrote:How would it be possible to download for a user if you protected file by putting it into a password protected directory?
It prompts the user for a password, they enter the password, and then the download begins. Its easy.
dethron wrote:I do not need to lengthen the address, this is nonsense.
The point was to offer two hashes - one for the file, one for the user. If both arent true (and activated), then they couldnt download the file (because one of the two hashes would not work).
I think you are ignoring a valuable alternative. Make each "file" available under a directory. ie,
http://www.example.com/file1.php
Then make each user access that using their unique code. ie,
http://example.com/file1.php?user=bob
Finally, have the script simply check if the user has access (select users from authorized where user=bob and file=file1), and if he does, then serve the content. Once you've served the content, perhaps after 15 minutes, have a cronjob that unsets that content as available to that user in the db.
Simple, easy, scalable, secure.
Posted: Fri Dec 09, 2005 6:13 pm
by dethron
Srry guys, but i really dont know what you are talking about!
Probably you got the all scenario wrong.
Thank you anyway.
Good Luck.
Posted: Fri Dec 09, 2005 10:35 pm
by RobertGonzalez
What type of file are you allowing for download? You could possibly postback using the same page as you do for confirmation instead of redirecting. That way you can use an include inside of an if(isset()) type thing. On the first load the user only sees a button if their information checks out (otherwise they see an error message). After they post the button the file can be allowed for download by using an include statement inside of a validation $_POST check. After the first time they visit and post the confirmation the include will no longer work.
Just a thought. There are, of course, secondary measures to take here to prevent the user from guessing the URL of the file. Maybe try using mod_rewrite and set up a rule to allow for autogenerated directory names that point to a folder on top of the root folder.
Hope it helps.