PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I'm trying to download a file without the user knowing the existing location. But this code is actually downloading a blank file called "..-products-secretfiles-".
The users are downloading a file they have purchased. I don't want a leak to the actual url so they can share it.
The download is now working ok... but I can't figure out how to rename the file. Right now it downloads as "products-secretfiles-filename.zip" when I only want it to say "filename.zip".
Generate a random URL that expires after a certain amount of time.
You're best bet is probably to have a virtual "downloads" directory, and everything beyond that is passed to your file-serving script, which then determines if that URL is valid or if it has expired.
I'm not sure I follow. The code I attached above won't work? It should be secure since it runs authentication before prompting the download.
Now that I check, it's not actually downloading the file, simply creating a blank file with that filename... so I'm lost. Can someone point me to an example, documentation, or something to get me started?
Actually, jwalsh' strategy seems better (thats how we do it overhere too). At first sight it seems all ok (so you might want to check if the $file really exists (eg: print realpath($file)) and test if it's readable...
a DB table contains a date stamp and the fid, if the file is older than so many minutes/hours, it is invalid and the file.php script redirects to 401/404. You can also include the users login credentials on the table for further security.
mod_rewrite isn't needed, but it makes it "nicer."
Generally, an entry into the database will be created when they select to download the file. This entry will map the random garble to the actual file and when it's supposed to expire. The entry could track how many times it's been downloaded (that particular entry) as well, to help you log whether you want to shorten the lifetime to help curb <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> .. requesting domain filtering can also help, but create false positives..
I've played with this overnight, and still no luck. The print realpath($file) works fine, and shows the correct location.
It still creates a blank file with the name ..-products-secretfiles-filename.zip. 0kb.
[EDIT: I forgot to uncomment readfile()... LOL. The download does download the file now.... but how can I change the filename, so it doesn't show the "products-secretfiles"]
... determines the download filename, not the source of the download. Thus I needed a second variable with the filename without the location, and used readfile() to generate the real location.