PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.		  
Loading
It is currently Thu Aug 22, 2019 3:20 am

View unanswered posts | View active topics


Board index » Programming » PHP - Theory and Design

All times are UTC - 5 hours




Post new topic Reply to topic  Page 1 of 1
  [ 10 posts ] 
  Print view Previous topic | Next topic 
Author Message
warfleet
PostPosted: Tue Jul 29, 2003 3:30 am 
Offline
Forum Newbie

Joined: Tue Jul 29, 2003 3:30 am
Posts: 3
OK, first post here so be gentle :-)

I need help as I have to include (as a part of my web site) the ability to securely download a file to a user and for that file to be downloaded by only him/her - but as many times as they like.

Basically they are going to have the option to pay a few bucks and have access to a custom app that will imrove the game. I will link its use to their gaming account anyway so its not a big deal really, but I want to only let them download it if they have paid for it. Its a methiod for my players to support me if they are an uber-player and want to use extra app features. (its a web game otherwise)

I am using php/mySql (of course) and I am not sure if I need to go for a generic database=file solution (I have had headaches from these when trying them out for jpg images etc but they DO seem popular) or if I need to go for a http://www.mysite.com/some/folder/SOME- ... 5/file.exe solution (if you get my drift) But that (in itself is not secure cos that link could be pasted all over the net) My preferred solution is to give a user the ability to access to the file at a set "virtual location" which in fact is all one location AND only if that user has the rights to it.

Do I make any sense? Its actually an easy question to understand if you understand my need. i.e. I need to get exe file access only to logged in users I know are entitled access to it.
Top
 Profile  
 
evilcoder
 Post subject:
PostPosted: Tue Jul 29, 2003 7:50 am 
Offline
Forum Contributor

Joined: Tue Dec 17, 2002 6:37 am
Posts: 345
Location: Sydney, Australia
i guess you could use the "copy" function of PHP to move the file from a non-www accessible folder to a www-accessible folder when it's called, then create a script, which you would cron-job, to delete any files inside the www-accessible folder, every half hour or so..

just a thought. And use your MySQL database to authenticate the user. So if theres a field called "Pay_Member" and when the member has paid it equals "1", then use something like

Syntax: [ Download ] [ Hide ]
if ( $1 == "1" ) {

   copy( "/non-www_accessible_folder/file.exe" , "/www/dir/file.exe" ) or die( "Bah something went wrong" );

}

else {

   echo "You dont have permission";

}
Top
 Profile  
 
warfleet
 Post subject:
PostPosted: Tue Jul 29, 2003 8:29 am 
Offline
Forum Newbie

Joined: Tue Jul 29, 2003 3:30 am
Posts: 3
Thanks for the post

I guess I could populate a bogus folder with the file(s) they are entitled logged in when they log in and remove those same files every time they are idle/logout. It seems too in-elegant though.

I know what I want to do, I want to allow the download a file only if you are logged in with permission. There are loads of file download sites that do this. Pretty much half the sites that offer free stuff need you to be logged in to get it.

Is that really how they handle this? I am sure it has to be less of a faff. If not, it doesn't really matter in one way because disk space is rarely a problem these days, bandwidth is.

Are there any free projects on sourceforge that people know about by any chance?

Thanks in Advance
Top
 Profile  
 
evilcoder
 Post subject:
PostPosted: Wed Jul 30, 2003 8:38 am 
Offline
Forum Contributor

Joined: Tue Dec 17, 2002 6:37 am
Posts: 345
Location: Sydney, Australia


Top
 Profile  
 
McGruff
 Post subject:
PostPosted: Wed Jul 30, 2003 1:10 pm 
Offline
DevNet Master

Joined: Thu Jan 30, 2003 9:26 pm
Posts: 2893
Location: Glasgow, Scotland
Could you put the files in a folder which only php scripts have permission to access?

An authentication script could block anyone who is not allowed to download the file, then use php ftp functions to download it.

You'd possibly also have to write some php scripts to manage files in the folder.
Top
 Profile  
 
MrNonchalant
 Post subject:
PostPosted: Wed Jul 30, 2003 11:32 pm 
Offline
Forum Commoner
User avatar

Joined: Wed Jul 17, 2002 2:15 am
Posts: 29


Top
 Profile  
 
Solsys
 Post subject:
PostPosted: Wed Aug 06, 2003 9:24 am 
Offline
Forum Newbie

Joined: Wed Aug 06, 2003 9:24 am
Posts: 1
I had to devise a way to do this for a company I worked for, (needed a way for customers to download manuals w/o keeping them in webroot.)

here is the code:(stripped out of some other code so you have to decide how to pass $filename to it and of course error checking needs to be done)

Syntax: [ Download ] [ Hide ]
<?php



$file = fopen($filename, 'r');



//set some HTTP headers

Header('Content-Type: application/x-octet-stream');

Header('Content-Transfer-Encoding: binary');

Header('Content-Length: ' . filesize($filename));

Header('Cache-Control: no-cache, must-revalidate'); //HTTP 1.1

Header('Cache-Control: post-check=0, pre-check=0', false); //HTTP 1.1

Header('Pragma: no-cache'); //HTTP 1.0

Header('Content-Description: Whatever the file is');

Header('Content-Disposition: attachment; filename="'.$filename.'"');

Header('Title: ' .$filename());



while(!$feof($file))

     print(fread($file, 4096));



fclose($file);

?>


This should allow you to create a link that will directly open the browsers download dialog. It also prevents MSIE from trying to open up helper apps rather than downloading the file as it should.

Also due to a bug in certain browsers(Earlier versions of NS6 and Mozilla mainly), you need to make sure that the link
is something similar to this:
http://www.example.com/download.php/?

the /? keeps the browser from trying to name the file "download.php" or whatever you call the script. We were using sessions when we created this, so there was nothing else on the URL string, I'd imagine if you passed some things via $_GET you can disreguard this.

HTH
Top
 Profile  
 
TLPD
 Post subject: hi
PostPosted: Thu Aug 21, 2003 9:12 am 
Offline
Forum Newbie
User avatar

Joined: Mon Jun 30, 2003 10:14 am
Posts: 7


Top
 Profile  
 
greenhorn666
 Post subject:
PostPosted: Thu Aug 21, 2003 9:29 am 
Offline
Forum Commoner
User avatar

Joined: Thu Aug 14, 2003 7:14 am
Posts: 87
Location: Brussels, Belgium
Solsys' way is the way to go...
You could even us
Syntax: [ Download ] [ Hide ]
$fp = fopen($path.$to.$file);

fpassthru($fp);

fclose($fp);


on newer php version (don't remember where this was included)

Simply before passing the file thru to the client verify it is ok to do so (auth). I would go for the $_GET (like download.php?file=pr0n.mpg ;) ) or pass a file ID, that's used to lookup file infos (like location) on the server.

You could setup
site.com/htdocs/ as document root and
site.com/files/ as private file root

The copy way is NOT the way to go, it is security thru obscurity (only M$ does that!) lol!

Your copy file to location http://site.com/where/ever/the/file.goes seems pretty much impossible to me
Top
 Profile  
 
will
 Post subject: Re: hi
PostPosted: Fri Aug 22, 2003 2:48 am 
Offline
Forum Contributor

Joined: Fri Jun 21, 2002 9:38 am
Posts: 120
Location: Memphis, TN


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 10 posts ] 

Board index » Programming » PHP - Theory and Design

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group