Secure file downloading

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
brian2000
Forum Newbie
Posts: 4
Joined: Thu Nov 20, 2008 12:21 pm

Secure file downloading

Post by brian2000 »

I am rather proficient in php, however the problem I am currently trying to solve is something I have never been faced with before, and thus am looking for the best possible solution for it before trying different things out and potentially failing horribly.

My friend requested my services in creating a website for his band, which will allow customers to a one-time-download of his band’s album.

A lot of ‘indie’ recording labels have websites where you enter a huge code into a webform, and the file (usually a zip) will download to the customer’s computer, I’m sure some (or most) of you have seen sites like this before

Obviously there is a database full of codes and what album/file they correspond to, and the form updates the database and sends the download to the customer’s browser

I am trying to figure out what the best method of doing this would be, and how would I keep the album files secure on the server to prevent unauthorized access to them, how should the database be structured, how should the download portion be handled, etc

It’s a tricky situation, but if done properly can be valuable to many people.

[In advance, thanks for any help/suggestions/links/examples etc]
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Secure file downloading

Post by Eran »

As you said - assigning unique identifiers to be used and then invalidating it after usage is the way to go.
In order to protect your files from direct access, place them on a directory not accessible from an http request (physically, or by using mod_rewrite), and instead serve the script using PHP.
To do that you just need to output the correct headers (google for 'force download headers') and output the contents of the files using one of php's many file reading functions.

Something like:

Code: Select all

 
//$file is a the filename (including path) you want to serve
if(is_readable($file) ) {
     header("Content-type: application/force-download");
     header("Content-Transfer-Encoding: Binary");
     header("Content-length: ".filesize($file));
     header("Content-disposition: attachment; filename=\"".basename($file)."\"");
     readfile($file);
}
 
brian2000
Forum Newbie
Posts: 4
Joined: Thu Nov 20, 2008 12:21 pm

@ pytrin Re: Secure file downloading

Post by brian2000 »

Thanks for the help, I've never done this before but it looks straight forward, so I'll give it a try.
brian2000
Forum Newbie
Posts: 4
Joined: Thu Nov 20, 2008 12:21 pm

Re: Secure file downloading

Post by brian2000 »

place them on a directory not accessible from an http request (physically, or by using mod_rewrite),
regarding that, can it be a folder on a website?
like http://www.website.com/secure_folder/
and httaccess just prohibits access to the folder, however the php script can access the folder?

im a little foggy on this

ive seen some people are putting files off of the www root on their server, and that seems even more confusing, how would the paths look?
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Secure file downloading

Post by Eran »

We had a short discussion on it in this thread - viewtopic.php?f=34&t=91033
brian2000
Forum Newbie
Posts: 4
Joined: Thu Nov 20, 2008 12:21 pm

Re: Secure file downloading

Post by brian2000 »

hey, thanks for all the help
I gave it a try and everything is running smoothly, a lot easier than I thought.

quick question

would you say mod rewrite is a better method or using a folder that htt has no access like off of the www root
or would you say they are the same and its just a matter of preferance
Post Reply