Page 1 of 1

Hiding download path

Posted: Mon May 19, 2003 7:18 pm
by Galahad
Does anyone know how I could conceal the path of a file, so that a user would have to go through my php page in order to get access to the file? I don't want the user to be able to know where the actual file is stored on the server. I think something kind of like fileplanet does, but I haven't looked really closely at their system. Any suggestions or pointers?

Re: Hiding download path

Posted: Mon May 19, 2003 11:38 pm
by Kim
Galahad wrote:Does anyone know how I could conceal the path of a file, so that a user would have to go through my php page in order to get access to the file? I don't want the user to be able to know where the actual file is stored on the server. I think something kind of like fileplanet does, but I haven't looked really closely at their system. Any suggestions or pointers?
Hi,here is the code :)
http://www.showtop.net/download/date/antiouterlink.zip

Posted: Tue May 20, 2003 11:14 am
by Galahad
Thanks for the reply. From what I can gather that looks like what I want to do. However, I am more interested in the ideas and knowing what's going on than just copying code. I'm having trouble with yours since the readme stuff seems to be in chinese. Could you or anyone else give me some pointers?

Posted: Tue May 20, 2003 5:04 pm
by Bill H
You can use the header function to do that.
I have the files in a directore named "support" which is outside the root directory of my website.
Call the download using the name of the file, thusly:

Code: Select all

<a href="doit.php?file=Rms3.exe">Click here to download RMS</a><br>
the "doit.php" file looks like this:

Code: Select all

<?php
if (IsSet($file)) header("Location: ../support/$file");
?>

Posted: Tue May 20, 2003 5:31 pm
by evilcoder
its not possible to complete hide the path. Anyone can put a HTTP tracker program on which will monitor every HTTP connection, and b00M they have the real address of your file.

The only true way to do it, would be to store them outside of a webviewable folder, and copy the file to a www folder each time its requested. Althought be careful as that can have some performance issues on larger files.

Posted: Wed May 21, 2003 8:13 am
by Jon2003
I have a little idea to improve situation: rename randomly the file before (easy) or after downloading. Thus, users cannot know its name for next downloading without visiting the page.

Posted: Wed May 21, 2003 3:52 pm
by Galahad
Ok, so I have a system that more of less works. This page was very helpful in getting me started here. Kim's code (first reply to my original message) is more complete but less helpful as a tutorial.

I am using something similar to that, but more general. I rename my files using the following function:

Code: Select all

// Function to create realname for a file
function create_realname($filename) &#123;
  $tag = getmypid().$filename;
  $extension = get_extension($filename);
  $hash = md5(uniqid($tag, 1));

  return $hash.".$extension";
&#125;
get_extension is a simple function that returns everything from the last "." on.

Once it is renamed, the user won't be able to guess what the filename is. Although I haven't set up the database yet (I'm just faking the db results), eventually the database will store the real filename (the md5 one) and the original filename (image.jpg or whatever). When you request a file from the download page, it verifies that you have logged in. Then it opens the file and reads in 4k at a time and dumps it out to the browser. I got that idea from the third comment on this page. The browser knows what to suggest naming the file because of the "Content-disposition: attachment; filename=" header that I send it.

I don't think that a http tracker could figure out where the php script is reading the file from. All it knows is that it is getting data from the download php script. Is that correct? You also don't have to try to deal with renaming the file and concurrent access.

Posted: Wed May 21, 2003 4:04 pm
by Galahad
On sort of a different note, I still would like to do a little securing of the directory where the actual files are stored. My idea is to use mod_rewrite to redirect any attempts to access that directory back to the main page. I think that would work since php accesses the directory locally and mod_rewrite only handles http requests. Seems like it should work, but I'm having a terrible time getting mod_rewrite to do anything at all. Anyone have experience with mod_rewrite?

Posted: Wed May 21, 2003 4:08 pm
by Galahad
I should add that I am running my own server so I have full access, but no webmaster to contact for help.

Posted: Wed May 21, 2003 5:53 pm
by Galahad
Ok, so I got what I wanted. I changed my httpd.conf file so AllowOverride for my directory was "FileInfo" instead of "None".

It turns out that I didn't need to do a bunch of fancy mod_rewrite stuff. mod_alias worked just fine. I just used RedirectMatch. I put the following line in .htaccess in mydirectory :

Code: Select all

RedirectMatch .*/mydirectory/.*/.* /mydirectory/index.php
That sends any attempt to access a subdirectory of "mydirectory" back to the index page. It seems to hide my subdirectory structure pretty well, and I can still download files through the page.