Hiding file location

**J.C.** · 05-25-2003 06:16 PM

How difficult is it to hide the file location from the sourceview and the staus bar view? I want my members to be logged in to use the download prog I'm working on. I don't want them cutting and pasting the link and sending it to others to retreive that are not members.

**Jona** · 05-25-2003 07:50 PM

Just use a referrer check.

**J.C.** · 05-25-2003 09:21 PM

Care to elaborate?

**Jona** · 05-25-2003 09:51 PM

lol, okay... using an if/else statement like this:

PHP Code:


if($_SERVER['HTTP_REFERER'] != "http://yoursite.com/file.htm"){

echo ("<font color=\"red\">You do not have access to this page.</font>"); } else {

echo ("Blah, blah, blah<br>Click <a href=\"file.ext\">here</a> to download.");

}

**J.C.** · 05-25-2003 09:57 PM

Okay time to show my novice face. How does this stop someone from being at my site and using the direct url to the file, instead of using the download section and logging in?

**Jona** · 05-25-2003 10:00 PM

Because, if the previous page of the user was not, in this example, http://yoursite.com/file.htm, it would say that you are not allowed to download it (the first echo). However, if you did come from http://yoursite.com/file.htm, you would see a link to download the file. It's not a very secure way, because if the user is logged in you'll have to authenticate that they are logged in as well. Also, if you're using sessions (which is even more secure than cookies), you'll want to authenticate that, too.

**Jona** · 05-25-2003 10:04 PM

You can also auto-start the download like this:

PHP Code:


if($_SERVER['HTTP_REFERER'] != "http://yoursite.com/file.htm"){

echo ("<font color=\"red\">You do not have access to this page.</font>"); } else {

echo ("Blah, blah, blah<br>Click <a href=\"file.ext\">here</a> to download.");

header("Content-Type: application/x-zip");

header("Content-Disposition: attachment; filename=yourFile.zip");

readfile('yourOriginalFile.zip');

}

Note that this script would have to be the first thing in your document. Even before the <html> tag, or else you will get an erro: "Headers already sent."

**J.C.** · 05-25-2003 10:05 PM

Makes sense. Oh well back to scratching my head LOL thanks!

**Jona** · 05-25-2003 10:06 PM

You're welcome. And by the way, I'm just a novice at PHP, too.

**Nevermore** · 05-26-2003 03:32 AM

Although echo will tell the user off, it won't stop the download. You need to use sometihng a bit more powerful, such as die(''). Why not check that they are logged in using cookies; when they log in, they get a cookie, and can download it until they close their browser. Best thing you could do is set up apache (if you are using it) not to allow direct file requests to it.

**Jona** · 05-26-2003 08:47 AM

Yes, hot-link protection should be set up for the files, and just let the server handle whether or not the page allows downloading. And, you're right, you'd probably use die('') instead--or exit;. Searching for cookies is not a big deal either--am I right? I've never actually dealt with cookies in PHP.. I think I'll try making a login script or something... But not today.

**Nevermore** · 05-26-2003 08:54 AM

I wouldn't use exit, becuase it would just look like the browser crashed and wouldn't encourage membership, because they would think your downloads didn't work. Searching for cookies is very easy in PHP.

**Jona** · 05-26-2003 09:14 AM

Oh yeah, duh... Yeah that would be silly.

I'm glad cookies are "easy" in PHP... I know they're much more difficult in Javascript, so that's why I wondered.

**J.C.** · 05-26-2003 01:05 PM

I have it checking for the forums cookie now, I just want to stop the direct linking to the download. currently the cookie check only stops page load if not logged in.

**Jona** · 05-26-2003 01:09 PM

Just set up your Apache server to reject direct linking to the files.

Thread: Hiding file location

Thread Tools

Display

Hiding file location

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions