PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Feb 18, 2019 2:43 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Tue Jul 29, 2003 3:30 am 
Offline
Forum Newbie

Joined: Tue Jul 29, 2003 3:30 am
Posts: 3
OK, first post here so be gentle :-)

I need help as I have to include (as a part of my web site) the ability to securely download a file to a user and for that file to be downloaded by only him/her - but as many times as they like.

Basically they are going to have the option to pay a few bucks and have access to a custom app that will imrove the game. I will link its use to their gaming account anyway so its not a big deal really, but I want to only let them download it if they have paid for it. Its a methiod for my players to support me if they are an uber-player and want to use extra app features. (its a web game otherwise)

I am using php/mySql (of course) and I am not sure if I need to go for a generic database=file solution (I have had headaches from these when trying them out for jpg images etc but they DO seem popular) or if I need to go for a http://www.mysite.com/some/folder/SOME- ... 5/file.exe solution (if you get my drift) But that (in itself is not secure cos that link could be pasted all over the net) My preferred solution is to give a user the ability to access to the file at a set "virtual location" which in fact is all one location AND only if that user has the rights to it.

Do I make any sense? Its actually an easy question to understand if you understand my need. i.e. I need to get exe file access only to logged in users I know are entitled access to it.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jul 29, 2003 7:50 am 
Offline
Forum Contributor

Joined: Tue Dec 17, 2002 6:37 am
Posts: 345
Location: Sydney, Australia
i guess you could use the "copy" function of PHP to move the file from a non-www accessible folder to a www-accessible folder when it's called, then create a script, which you would cron-job, to delete any files inside the www-accessible folder, every half hour or so..

just a thought. And use your MySQL database to authenticate the user. So if theres a field called "Pay_Member" and when the member has paid it equals "1", then use something like

Syntax: [ Download ] [ Hide ]
if ( $1 == "1" ) {

   copy( "/non-www_accessible_folder/file.exe" , "/www/dir/file.exe" ) or die( "Bah something went wrong" );

}

else {

   echo "You dont have permission";

}


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jul 29, 2003 8:29 am 
Offline
Forum Newbie

Joined: Tue Jul 29, 2003 3:30 am
Posts: 3
Thanks for the post

I guess I could populate a bogus folder with the file(s) they are entitled logged in when they log in and remove those same files every time they are idle/logout. It seems too in-elegant though.

I know what I want to do, I want to allow the download a file only if you are logged in with permission. There are loads of file download sites that do this. Pretty much half the sites that offer free stuff need you to be logged in to get it.

Is that really how they handle this? I am sure it has to be less of a faff. If not, it doesn't really matter in one way because disk space is rarely a problem these days, bandwidth is.

Are there any free projects on sourceforge that people know about by any chance?

Thanks in Advance


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jul 30, 2003 8:38 am 
Offline
Forum Contributor

Joined: Tue Dec 17, 2002 6:37 am
Posts: 345
Location: Sydney, Australia
the discussion about this has appeared many times on devnet.. No matter how well your download script is coded, HTTP requests are made when downloading a file, and there are programs which can track down the HTTP location of files even through scripts that say they "protect" your download location.

The only true safe way was what i mentioned about using copy, and i thought about it, and effectively you could delete it without needing cron-jobs... If you're still interested just message back, i'm pretty tired so i couldnt be bothered typing. :)


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jul 30, 2003 1:10 pm 
Offline
DevNet Master

Joined: Thu Jan 30, 2003 9:26 pm
Posts: 2893
Location: Glasgow, Scotland
Could you put the files in a folder which only php scripts have permission to access?

An authentication script could block anyone who is not allowed to download the file, then use php ftp functions to download it.

You'd possibly also have to write some php scripts to manage files in the folder.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jul 30, 2003 11:32 pm 
Offline
Forum Commoner
User avatar

Joined: Wed Jul 17, 2002 2:15 am
Posts: 29
The quickest thing I can thing of is instead of copying the file there via PHP, just putting a PHP script there that reads the file and feeds it to the browser if he or she is logged in. Not really hard to do with some creative use of fopen(), echo(), feof, a while loop, and an octet stream header(). If you want me to whip up a quick demo for you I could.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 06, 2003 9:24 am 
Offline
Forum Newbie

Joined: Wed Aug 06, 2003 9:24 am
Posts: 1
I had to devise a way to do this for a company I worked for, (needed a way for customers to download manuals w/o keeping them in webroot.)

here is the code:(stripped out of some other code so you have to decide how to pass $filename to it and of course error checking needs to be done)

Syntax: [ Download ] [ Hide ]
<?php



$file = fopen($filename, 'r');



//set some HTTP headers

Header('Content-Type: application/x-octet-stream');

Header('Content-Transfer-Encoding: binary');

Header('Content-Length: ' . filesize($filename));

Header('Cache-Control: no-cache, must-revalidate'); //HTTP 1.1

Header('Cache-Control: post-check=0, pre-check=0', false); //HTTP 1.1

Header('Pragma: no-cache'); //HTTP 1.0

Header('Content-Description: Whatever the file is');

Header('Content-Disposition: attachment; filename="'.$filename.'"');

Header('Title: ' .$filename());



while(!$feof($file))

     print(fread($file, 4096));



fclose($file);

?>


This should allow you to create a link that will directly open the browsers download dialog. It also prevents MSIE from trying to open up helper apps rather than downloading the file as it should.

Also due to a bug in certain browsers(Earlier versions of NS6 and Mozilla mainly), you need to make sure that the link
is something similar to this:
http://www.example.com/download.php/?

the /? keeps the browser from trying to name the file "download.php" or whatever you call the script. We were using sessions when we created this, so there was nothing else on the URL string, I'd imagine if you passed some things via $_GET you can disreguard this.

HTH


Top
 Profile  
 
 Post subject: hi
PostPosted: Thu Aug 21, 2003 9:12 am 
Offline
Forum Newbie
User avatar

Joined: Mon Jun 30, 2003 10:14 am
Posts: 7
Can i ask onething :lol:
This is the code i use to upload file use copy() function
Syntax: [ Download ] [ Hide ]
$servername = "http://mysite.com";
copy ("$file","$servername$file_name");


when i run it i get an error. So i don't know why but if i use the $servername is "c:/" ( when i test at localhost) it work well


Top
 Profile  
 
 Post subject:
PostPosted: Thu Aug 21, 2003 9:29 am 
Offline
Forum Commoner
User avatar

Joined: Thu Aug 14, 2003 7:14 am
Posts: 87
Location: Brussels, Belgium
Solsys' way is the way to go...
You could even us
Syntax: [ Download ] [ Hide ]
$fp = fopen($path.$to.$file);

fpassthru($fp);

fclose($fp);


on newer php version (don't remember where this was included)

Simply before passing the file thru to the client verify it is ok to do so (auth). I would go for the $_GET (like download.php?file=pr0n.mpg ;) ) or pass a file ID, that's used to lookup file infos (like location) on the server.

You could setup
site.com/htdocs/ as document root and
site.com/files/ as private file root

The copy way is NOT the way to go, it is security thru obscurity (only M$ does that!) lol!

Your copy file to location http://site.com/where/ever/the/file.goes seems pretty much impossible to me


Top
 Profile  
 
 Post subject: Re: hi
PostPosted: Fri Aug 22, 2003 2:48 am 
Offline
Forum Contributor

Joined: Fri Jun 21, 2002 9:38 am
Posts: 120
Location: Memphis, TN
TLPD wrote:
Can i ask onething :lol:
This is the code i use to upload file use copy() function
Syntax: [ Download ] [ Hide ]
$servername = "http://mysite.com";
copy ("$file","$servername$file_name");


when i run it i get an error. So i don't know why but if i use the $servername is "c:/" ( when i test at localhost) it work well


the second parameter needs to be a location on the local file system, not a URL. it can either be relative to the current directory the script is running in, or an absolute path from the root - in your case c:\


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group