How difficult is it to hide the file location from the sourceview and the staus bar view? I want my members to be logged in to use the download prog I'm working on. I don't want them cutting and pasting the link and sending it to others to retreive that are not members.

Just use a referrer check.

Care to elaborate?

lol, okay... using an if/else statement like this:


if($_SERVER['HTTP_REFERER'] != "http://yoursite.com/file.htm"){
echo ("<font color=\"red\">You do not have access to this page.</font>"); } else {
echo ("Blah, blah, blah<br>Click <a href=\"file.ext\">here</a> to download.");
}

Okay time to show my novice face. How does this stop someone from being at my site and using the direct url to the file, instead of using the download section and logging in?

Because, if the previous page of the user was not, in this example, http://yoursite.com/file.htm, it would say that you are not allowed to download it (the first echo). However, if you did come from http://yoursite.com/file.htm, you would see a link to download the file. It's not a very secure way, because if the user is logged in you'll have to authenticate that they are logged in as well. Also, if you're using sessions (which is even more secure than cookies), you'll want to authenticate that, too.

You can also auto-start the download like this:


if($_SERVER['HTTP_REFERER'] != "http://yoursite.com/file.htm"){
echo ("<font color=\"red\">You do not have access to this page.</font>"); } else {
echo ("Blah, blah, blah<br>Click <a href=\"file.ext\">here</a> to download.");
header("Content-Type: application/x-zip");
header("Content-Disposition: attachment; filename=yourFile.zip");
readfile('yourOriginalFile.zip');
}


Note that this script would have to be the first thing in your document. Even before the <html> tag, or else you will get an erro: "Headers already sent."

Makes sense. Oh well back to scratching my head LOL thanks!

You're welcome. And by the way, I'm just a novice at PHP, too. ;)

Although echo will tell the user off, it won't stop the download. You need to use sometihng a bit more powerful, such as die(''). Why not check that they are logged in using cookies; when they log in, they get a cookie, and can download it until they close their browser. Best thing you could do is set up apache (if you are using it) not to allow direct file requests to it.

Yes, hot-link protection should be set up for the files, and just let the server handle whether or not the page allows downloading. And, you're right, you'd probably use die('') instead--or exit;. Searching for cookies is not a big deal either--am I right? I've never actually dealt with cookies in PHP.. I think I'll try making a login script or something... But not today. :p

I wouldn't use exit, becuase it would just look like the browser crashed and wouldn't encourage membership, because they would think your downloads didn't work. Searching for cookies is very easy in PHP.

Oh yeah, duh... Yeah that would be silly. :p

I'm glad cookies are "easy" in PHP... I know they're much more difficult in Javascript, so that's why I wondered.

I have it checking for the forums cookie now, I just want to stop the direct linking to the download. currently the cookie check only stops page load if not logged in.

Just set up your Apache server to reject direct linking to the files.

That would work, but I want to be able to offer this to my members for their sites and need to make it as painless as possible.

Oh, I see. A downloadable download script, eh? :p

I presume you still haven't gotten everything you need done, right?

LOL, yup it's in it's very early stages. VERY early. It was originally intended for my use only to fill a need, now others want it for their site since it runs with the forum software I use, it uses the same login etc.. It's very basic you upload to a dir and the script reads the dir and spits the results, organized via a template. Crude to say the least.

Hmmm.... I see. Well, I've never done any of this to tell you the truth, but I can give it a shot.

So, starting from the top... What should we start with? Are we handling file uploads to the forum?

What are you trying to do? write a script that will stop users directly downloading files, but let logged in users download them?

Originally it was just a bandaid solution to allow me to have an organized download section for free stuff to be accessed by my forum members only. It basically reads a predetermined dir and spits the results in an organized fashion. No glitter or flash, just clean and simple. It's one of my ongoing attempts to learn more about php. I don't envision any organized upload to it, etc.. FTP can do that just as easy LOL

OK, I have some download restriction .htaccess code, that will intercept all attempts in the same directory as it, and all subdirectoires of that directory. It ill only work if your server is running Apache, though. A scan of your domain tells me that you almost certainly are (version 1.3.27 if I'm not mistaken!). This code will do the trick for files ending in the exenisions .gif,.jpg,.exe and .zip, I wasn't sure what you wanted - it can be changed to block access to more file extensions. It will stop linking regardless to case because i have included all cases in the code.


AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.my-site.com/forum.*$ [NC]
RewriteRule .*[Jj][Pp][Gg]$|.*[Gg][Ii][Ff]$|.*[Ee][Xx][Ee]$|.*[Zz][Ii][Pp]$ http://www.my-error-page.com [R,L]


All you need to do is change the coloured parts according to these rules:
Change the blue area to the file or directory that you want to allow linking from.
Change the red area to the error page that you want to show to people who have been denied. (Perhaps a log in to the forum page?)

Then save it as a file named .htaccess (note that that is the whole file name, not just the extension. The file should have nothing in it's name other than .htaccess. OK?

Next, upload it to your server to the directory with your forum in. It will protect the directory and all sub-directories, but you need to stop people accessing it. To do this, either upload it in ASCII format or CHMOD it to 644. ( I think that's the right CHMOD. I'll check.)

PHEW! That was a lot of typing!

If it doesn't work, just post again, and I'll try to help you.

All right. Do you have any code to start with or are we doing this from scratch? Also, what is the code you used to make the cookies, etc., for when they're logged in?

Gonna grab some food and do some family stuff. Will check back later.. gotta run sorry :)

I agree with cijori, this should just be a matter of logging the users in, and only allowing them access to the files. You have quite a few options. One would be what cijori mentioned. You may, however, what it to be more integrated with PHP. If so, you can use HTTP Authentication, or use this password script: http://forums.webdeveloper.com/showthread.php?s=&threadid=9950

Using that password script only allows one username/password. If you do decide to go down that route, then you will probably want to convert it to read username/password combinations from a database.

Yes, exactly. That was meant to just be a demonstration -- something simple. It has much room to be improved.

Don't worry - I'm not criticising your ability with PHP. That would be a bit stupid, really, seeing as how I have to ask you for help...

lol... :D Don't worry, it wasn't taken as such...

Cheers!

FYI

if($_SERVER['HTTP_REFERER'] != "http://yoursite.com/file.htm"){

this version is not secure beyond joe public secure, as it is easy enough to fake a referer.

Regards,

Dai

How are you planning to put PHP code in a download?

huh?

What cijori is saying is that PHP code is executed on the server, and thus, your source code can not be downloaded through a browser.

lol, I am not sure who is asking whom what now, but just in case:-

There are two broad ways you can approach this, you can either have the downloads available directly from the webserver to the web browser and use a built in security mchanism like .htaccess as suggested previosuly or you can use a PHP solution to download the file.

The way the second works is that the user calls a PHP script wih some parameter to identify the file required. The PHP script does the necessary authentication then opens the requested file from disk and passes it back via the web server. A PHP script does not have to return html, it can return any form of content supported by the webserver provided it passes the correct headers and passes the data in the appropriate way e.g. binary dat for an image.

So you are corect that the PHP code cannot be 'embedded' in the download file as this would not work and if it did would compromise the download files, however PHP can effectively intercede between the web server and the files to be downloaded in order to only allow certain users to access them. The download files should then be kept in a directory outside the web root or that is protected from direct access to ensure that a user cannot go directly to the downlaod file and bypass this protection.

While the .htaccess method is suitable for many purposes, there are times when you require the authentication to be integrated to existing PHP code (or maybe you dont have rights to use built in webserver protection). While this can be achieved via dbm files, it is a lot easier to use the second method and control access directly with PHP.

Regards,

Dai