Page 1 of 1

downloading files 100% securely

Posted: Tue Jul 29, 2003 3:30 am
by warfleet
OK, first post here so be gentle :-)

I need help as I have to include (as a part of my web site) the ability to securely download a file to a user and for that file to be downloaded by only him/her - but as many times as they like.

Basically they are going to have the option to pay a few bucks and have access to a custom app that will imrove the game. I will link its use to their gaming account anyway so its not a big deal really, but I want to only let them download it if they have paid for it. Its a methiod for my players to support me if they are an uber-player and want to use extra app features. (its a web game otherwise)

I am using php/mySql (of course) and I am not sure if I need to go for a generic database=file solution (I have had headaches from these when trying them out for jpg images etc but they DO seem popular) or if I need to go for a http://www.mysite.com/some/folder/SOME- ... 5/file.exe solution (if you get my drift) But that (in itself is not secure cos that link could be pasted all over the net) My preferred solution is to give a user the ability to access to the file at a set "virtual location" which in fact is all one location AND only if that user has the rights to it.

Do I make any sense? Its actually an easy question to understand if you understand my need. i.e. I need to get exe file access only to logged in users I know are entitled access to it.

Posted: Tue Jul 29, 2003 7:50 am
by evilcoder
i guess you could use the "copy" function of PHP to move the file from a non-www accessible folder to a www-accessible folder when it's called, then create a script, which you would cron-job, to delete any files inside the www-accessible folder, every half hour or so..

just a thought. And use your MySQL database to authenticate the user. So if theres a field called "Pay_Member" and when the member has paid it equals "1", then use something like

Code: Select all

if ( $1 == "1" ) {
   copy( "/non-www_accessible_folder/file.exe" , "/www/dir/file.exe" ) or die( "Bah something went wrong" );
}
else {
   echo "You dont have permission";
}

Posted: Tue Jul 29, 2003 8:29 am
by warfleet
Thanks for the post

I guess I could populate a bogus folder with the file(s) they are entitled logged in when they log in and remove those same files every time they are idle/logout. It seems too in-elegant though.

I know what I want to do, I want to allow the download a file only if you are logged in with permission. There are loads of file download sites that do this. Pretty much half the sites that offer free stuff need you to be logged in to get it.

Is that really how they handle this? I am sure it has to be less of a faff. If not, it doesn't really matter in one way because disk space is rarely a problem these days, bandwidth is.

Are there any free projects on sourceforge that people know about by any chance?

Thanks in Advance

Posted: Wed Jul 30, 2003 8:38 am
by evilcoder
the discussion about this has appeared many times on devnet.. No matter how well your download script is coded, HTTP requests are made when downloading a file, and there are programs which can track down the HTTP location of files even through scripts that say they "protect" your download location.

The only true safe way was what i mentioned about using copy, and i thought about it, and effectively you could delete it without needing cron-jobs... If you're still interested just message back, i'm pretty tired so i couldnt be bothered typing. :)

Posted: Wed Jul 30, 2003 1:10 pm
by McGruff
Could you put the files in a folder which only php scripts have permission to access?

An authentication script could block anyone who is not allowed to download the file, then use php ftp functions to download it.

You'd possibly also have to write some php scripts to manage files in the folder.

Posted: Wed Jul 30, 2003 11:32 pm
by MrNonchalant
The quickest thing I can thing of is instead of copying the file there via PHP, just putting a PHP script there that reads the file and feeds it to the browser if he or she is logged in. Not really hard to do with some creative use of fopen(), echo(), feof, a while loop, and an octet stream header(). If you want me to whip up a quick demo for you I could.

Posted: Wed Aug 06, 2003 9:24 am
by Solsys
I had to devise a way to do this for a company I worked for, (needed a way for customers to download manuals w/o keeping them in webroot.)

here is the code:(stripped out of some other code so you have to decide how to pass $filename to it and of course error checking needs to be done)

Code: Select all

<?php

$file = fopen($filename, 'r');

//set some HTTP headers
Header('Content-Type: application/x-octet-stream');
Header('Content-Transfer-Encoding: binary');
Header('Content-Length: ' . filesize($filename));
Header('Cache-Control: no-cache, must-revalidate'); //HTTP 1.1
Header('Cache-Control: post-check=0, pre-check=0', false); //HTTP 1.1
Header('Pragma: no-cache'); //HTTP 1.0
Header('Content-Description: Whatever the file is');
Header('Content-Disposition: attachment; filename="'.$filename.'"');
Header('Title: ' .$filename());

while(!$feof($file))
     print(fread($file, 4096));

fclose($file);
?>
This should allow you to create a link that will directly open the browsers download dialog. It also prevents MSIE from trying to open up helper apps rather than downloading the file as it should.

Also due to a bug in certain browsers(Earlier versions of NS6 and Mozilla mainly), you need to make sure that the link
is something similar to this:
http://www.example.com/download.php/?

the /? keeps the browser from trying to name the file "download.php" or whatever you call the script. We were using sessions when we created this, so there was nothing else on the URL string, I'd imagine if you passed some things via $_GET you can disreguard this.

HTH

hi

Posted: Thu Aug 21, 2003 9:12 am
by TLPD
Can i ask onething :lol:
This is the code i use to upload file use copy() function

Code: Select all

$servername = "http://mysite.com";
copy ("$file","$servername$file_name");
when i run it i get an error. So i don't know why but if i use the $servername is "c:/" ( when i test at localhost) it work well

Posted: Thu Aug 21, 2003 9:29 am
by greenhorn666
Solsys' way is the way to go...
You could even us

Code: Select all

$fp = fopen($path.$to.$file);
fpassthru($fp);
fclose($fp);
on newer php version (don't remember where this was included)

Simply before passing the file thru to the client verify it is ok to do so (auth). I would go for the $_GET (like download.php?file=pr0n.mpg ;) ) or pass a file ID, that's used to lookup file infos (like location) on the server.

You could setup
site.com/htdocs/ as document root and
site.com/files/ as private file root

The copy way is NOT the way to go, it is security thru obscurity (only M$ does that!) lol!

Your copy file to location http://site.com/where/ever/the/file.goes seems pretty much impossible to me

Re: hi

Posted: Fri Aug 22, 2003 2:48 am
by will
TLPD wrote:Can i ask onething :lol:
This is the code i use to upload file use copy() function

Code: Select all

$servername = "http://mysite.com";
copy ("$file","$servername$file_name");
when i run it i get an error. So i don't know why but if i use the $servername is "c:/" ( when i test at localhost) it work well
the second parameter needs to be a location on the local file system, not a URL. it can either be relative to the current directory the script is running in, or an absolute path from the root - in your case c:\