Hiding download path

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Galahad
Forum Contributor
Posts: 111
Joined: Fri Jun 14, 2002 5:50 pm

Hiding download path

Post by Galahad »

Does anyone know how I could conceal the path of a file, so that a user would have to go through my php page in order to get access to the file? I don't want the user to be able to know where the actual file is stored on the server. I think something kind of like fileplanet does, but I haven't looked really closely at their system. Any suggestions or pointers?
User avatar
Kim
Forum Newbie
Posts: 6
Joined: Sun May 18, 2003 9:36 pm

Re: Hiding download path

Post by Kim »

Galahad wrote:Does anyone know how I could conceal the path of a file, so that a user would have to go through my php page in order to get access to the file? I don't want the user to be able to know where the actual file is stored on the server. I think something kind of like fileplanet does, but I haven't looked really closely at their system. Any suggestions or pointers?
Hi,here is the code :)
http://www.showtop.net/download/date/antiouterlink.zip
Galahad
Forum Contributor
Posts: 111
Joined: Fri Jun 14, 2002 5:50 pm

Post by Galahad »

Thanks for the reply. From what I can gather that looks like what I want to do. However, I am more interested in the ideas and knowing what's going on than just copying code. I'm having trouble with yours since the readme stuff seems to be in chinese. Could you or anyone else give me some pointers?
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Post by Bill H »

You can use the header function to do that.
I have the files in a directore named "support" which is outside the root directory of my website.
Call the download using the name of the file, thusly:

Code: Select all

<a href="doit.php?file=Rms3.exe">Click here to download RMS</a><br>
the "doit.php" file looks like this:

Code: Select all

<?php
if (IsSet($file)) header("Location: ../support/$file");
?>
evilcoder
Forum Contributor
Posts: 345
Joined: Tue Dec 17, 2002 5:37 am
Location: Sydney, Australia

Post by evilcoder »

its not possible to complete hide the path. Anyone can put a HTTP tracker program on which will monitor every HTTP connection, and b00M they have the real address of your file.

The only true way to do it, would be to store them outside of a webviewable folder, and copy the file to a www folder each time its requested. Althought be careful as that can have some performance issues on larger files.
Jon2003
Forum Newbie
Posts: 7
Joined: Tue Apr 29, 2003 7:44 pm

Post by Jon2003 »

I have a little idea to improve situation: rename randomly the file before (easy) or after downloading. Thus, users cannot know its name for next downloading without visiting the page.
Galahad
Forum Contributor
Posts: 111
Joined: Fri Jun 14, 2002 5:50 pm

Post by Galahad »

Ok, so I have a system that more of less works. This page was very helpful in getting me started here. Kim's code (first reply to my original message) is more complete but less helpful as a tutorial.

I am using something similar to that, but more general. I rename my files using the following function:

Code: Select all

// Function to create realname for a file
function create_realname($filename) &#123;
  $tag = getmypid().$filename;
  $extension = get_extension($filename);
  $hash = md5(uniqid($tag, 1));

  return $hash.".$extension";
&#125;
get_extension is a simple function that returns everything from the last "." on.

Once it is renamed, the user won't be able to guess what the filename is. Although I haven't set up the database yet (I'm just faking the db results), eventually the database will store the real filename (the md5 one) and the original filename (image.jpg or whatever). When you request a file from the download page, it verifies that you have logged in. Then it opens the file and reads in 4k at a time and dumps it out to the browser. I got that idea from the third comment on this page. The browser knows what to suggest naming the file because of the "Content-disposition: attachment; filename=" header that I send it.

I don't think that a http tracker could figure out where the php script is reading the file from. All it knows is that it is getting data from the download php script. Is that correct? You also don't have to try to deal with renaming the file and concurrent access.
Galahad
Forum Contributor
Posts: 111
Joined: Fri Jun 14, 2002 5:50 pm

Post by Galahad »

On sort of a different note, I still would like to do a little securing of the directory where the actual files are stored. My idea is to use mod_rewrite to redirect any attempts to access that directory back to the main page. I think that would work since php accesses the directory locally and mod_rewrite only handles http requests. Seems like it should work, but I'm having a terrible time getting mod_rewrite to do anything at all. Anyone have experience with mod_rewrite?
Galahad
Forum Contributor
Posts: 111
Joined: Fri Jun 14, 2002 5:50 pm

Post by Galahad »

I should add that I am running my own server so I have full access, but no webmaster to contact for help.
Galahad
Forum Contributor
Posts: 111
Joined: Fri Jun 14, 2002 5:50 pm

Post by Galahad »

Ok, so I got what I wanted. I changed my httpd.conf file so AllowOverride for my directory was "FileInfo" instead of "None".

It turns out that I didn't need to do a bunch of fancy mod_rewrite stuff. mod_alias worked just fine. I just used RedirectMatch. I put the following line in .htaccess in mydirectory :

Code: Select all

RedirectMatch .*/mydirectory/.*/.* /mydirectory/index.php
That sends any attempt to access a subdirectory of "mydirectory" back to the index page. It seems to hide my subdirectory structure pretty well, and I can still download files through the page.
Post Reply