Page 1 of 1

Secure file downloading

Posted: Thu Nov 20, 2008 12:41 pm
by brian2000
I am rather proficient in php, however the problem I am currently trying to solve is something I have never been faced with before, and thus am looking for the best possible solution for it before trying different things out and potentially failing horribly.

My friend requested my services in creating a website for his band, which will allow customers to a one-time-download of his band’s album.

A lot of ‘indie’ recording labels have websites where you enter a huge code into a webform, and the file (usually a zip) will download to the customer’s computer, I’m sure some (or most) of you have seen sites like this before

Obviously there is a database full of codes and what album/file they correspond to, and the form updates the database and sends the download to the customer’s browser

I am trying to figure out what the best method of doing this would be, and how would I keep the album files secure on the server to prevent unauthorized access to them, how should the database be structured, how should the download portion be handled, etc

It’s a tricky situation, but if done properly can be valuable to many people.

[In advance, thanks for any help/suggestions/links/examples etc]

Re: Secure file downloading

Posted: Thu Nov 20, 2008 12:57 pm
by Eran
As you said - assigning unique identifiers to be used and then invalidating it after usage is the way to go.
In order to protect your files from direct access, place them on a directory not accessible from an http request (physically, or by using mod_rewrite), and instead serve the script using PHP.
To do that you just need to output the correct headers (google for 'force download headers') and output the contents of the files using one of php's many file reading functions.

Something like:

Code: Select all

 
//$file is a the filename (including path) you want to serve
if(is_readable($file) ) {
     header("Content-type: application/force-download");
     header("Content-Transfer-Encoding: Binary");
     header("Content-length: ".filesize($file));
     header("Content-disposition: attachment; filename=\"".basename($file)."\"");
     readfile($file);
}
 

@ pytrin Re: Secure file downloading

Posted: Thu Nov 20, 2008 1:49 pm
by brian2000
Thanks for the help, I've never done this before but it looks straight forward, so I'll give it a try.

Re: Secure file downloading

Posted: Fri Nov 21, 2008 9:03 am
by brian2000
place them on a directory not accessible from an http request (physically, or by using mod_rewrite),
regarding that, can it be a folder on a website?
like http://www.website.com/secure_folder/
and httaccess just prohibits access to the folder, however the php script can access the folder?

im a little foggy on this

ive seen some people are putting files off of the www root on their server, and that seems even more confusing, how would the paths look?

Re: Secure file downloading

Posted: Fri Nov 21, 2008 9:18 am
by Eran
We had a short discussion on it in this thread - viewtopic.php?f=34&t=91033

Re: Secure file downloading

Posted: Tue Dec 02, 2008 1:11 pm
by brian2000
hey, thanks for all the help
I gave it a try and everything is running smoothly, a lot easier than I thought.

quick question

would you say mod rewrite is a better method or using a folder that htt has no access like off of the www root
or would you say they are the same and its just a matter of preferance