Hiding download path
Moderator: General Moderators
Hiding download path
Does anyone know how I could conceal the path of a file, so that a user would have to go through my php page in order to get access to the file? I don't want the user to be able to know where the actual file is stored on the server. I think something kind of like fileplanet does, but I haven't looked really closely at their system. Any suggestions or pointers?
Re: Hiding download path
Hi,here is the codeGalahad wrote:Does anyone know how I could conceal the path of a file, so that a user would have to go through my php page in order to get access to the file? I don't want the user to be able to know where the actual file is stored on the server. I think something kind of like fileplanet does, but I haven't looked really closely at their system. Any suggestions or pointers?
http://www.showtop.net/download/date/antiouterlink.zip
- Bill H
- DevNet Resident
- Posts: 1136
- Joined: Sat Jun 01, 2002 10:16 am
- Location: San Diego CA
- Contact:
You can use the header function to do that.
I have the files in a directore named "support" which is outside the root directory of my website.
Call the download using the name of the file, thusly:
the "doit.php" file looks like this:
I have the files in a directore named "support" which is outside the root directory of my website.
Call the download using the name of the file, thusly:
Code: Select all
<a href="doit.php?file=Rms3.exe">Click here to download RMS</a><br>Code: Select all
<?php
if (IsSet($file)) header("Location: ../support/$file");
?>its not possible to complete hide the path. Anyone can put a HTTP tracker program on which will monitor every HTTP connection, and b00M they have the real address of your file.
The only true way to do it, would be to store them outside of a webviewable folder, and copy the file to a www folder each time its requested. Althought be careful as that can have some performance issues on larger files.
The only true way to do it, would be to store them outside of a webviewable folder, and copy the file to a www folder each time its requested. Althought be careful as that can have some performance issues on larger files.
Ok, so I have a system that more of less works. This page was very helpful in getting me started here. Kim's code (first reply to my original message) is more complete but less helpful as a tutorial.
I am using something similar to that, but more general. I rename my files using the following function:
get_extension is a simple function that returns everything from the last "." on.
Once it is renamed, the user won't be able to guess what the filename is. Although I haven't set up the database yet (I'm just faking the db results), eventually the database will store the real filename (the md5 one) and the original filename (image.jpg or whatever). When you request a file from the download page, it verifies that you have logged in. Then it opens the file and reads in 4k at a time and dumps it out to the browser. I got that idea from the third comment on this page. The browser knows what to suggest naming the file because of the "Content-disposition: attachment; filename=" header that I send it.
I don't think that a http tracker could figure out where the php script is reading the file from. All it knows is that it is getting data from the download php script. Is that correct? You also don't have to try to deal with renaming the file and concurrent access.
I am using something similar to that, but more general. I rename my files using the following function:
Code: Select all
// Function to create realname for a file
function create_realname($filename) {
$tag = getmypid().$filename;
$extension = get_extension($filename);
$hash = md5(uniqid($tag, 1));
return $hash.".$extension";
}Once it is renamed, the user won't be able to guess what the filename is. Although I haven't set up the database yet (I'm just faking the db results), eventually the database will store the real filename (the md5 one) and the original filename (image.jpg or whatever). When you request a file from the download page, it verifies that you have logged in. Then it opens the file and reads in 4k at a time and dumps it out to the browser. I got that idea from the third comment on this page. The browser knows what to suggest naming the file because of the "Content-disposition: attachment; filename=" header that I send it.
I don't think that a http tracker could figure out where the php script is reading the file from. All it knows is that it is getting data from the download php script. Is that correct? You also don't have to try to deal with renaming the file and concurrent access.
On sort of a different note, I still would like to do a little securing of the directory where the actual files are stored. My idea is to use mod_rewrite to redirect any attempts to access that directory back to the main page. I think that would work since php accesses the directory locally and mod_rewrite only handles http requests. Seems like it should work, but I'm having a terrible time getting mod_rewrite to do anything at all. Anyone have experience with mod_rewrite?
Ok, so I got what I wanted. I changed my httpd.conf file so AllowOverride for my directory was "FileInfo" instead of "None".
It turns out that I didn't need to do a bunch of fancy mod_rewrite stuff. mod_alias worked just fine. I just used RedirectMatch. I put the following line in .htaccess in mydirectory :
That sends any attempt to access a subdirectory of "mydirectory" back to the index page. It seems to hide my subdirectory structure pretty well, and I can still download files through the page.
It turns out that I didn't need to do a bunch of fancy mod_rewrite stuff. mod_alias worked just fine. I just used RedirectMatch. I put the following line in .htaccess in mydirectory :
Code: Select all
RedirectMatch .*/mydirectory/.*/.* /mydirectory/index.php