www.webdeveloper.com
Results 1 to 7 of 7

Thread: How to prevent direct download to file?

  1. #1
    Join Date
    Jul 2013
    Posts
    18

    How to prevent direct download to file?

    Hi all,,

    I need to make a link to download a file .. But only Authorized persons can download it.

    The problem is that any body can wirte the direct link for that file and download it.. How to prevent that?

  2. #2
    Join Date
    Oct 2012
    Posts
    78
    Can't you use a session on the page so you'll need a login and password to access the page.
    Use SHA1 to hash the password. And http://www.w3schools.com/php/php_sessions.asp.

    This will only work if you want like one or two people to be able to access it all you have to do is tell them the details.

    As for PHP security I'm sure MD5 is not be to be used. Theres probably a better way than the way above that someone on here is bound to know.
    Last edited by theyoker; 08-19-2013 at 04:39 PM.

  3. #3
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,346
    You have a database and use a serverside to show the link to those authorised to download it.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,319
    Generally you need a file-server script that will validate the user is logged in and has access to that file, and then serves up the file by reading it from disk (e.g. readfile() or from the DB if you prefer). If doing a readfile(), you can simply put the file(s) outside of the web document root directory tree, so no one can access it via HTTP (or you can have it in the web root but use .htaccess to prohibit access). You might still use a DB to record meta-data about the files, including file names, directories, and types. Then the download link would point to the file-server script, which validates the user and the input (e.g. ?file=some_id_here), and if everything is okay, use header() to set some file-type headers and such, the readfile() the desired file path-name extracted from the DB.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,346
    You could if you don't wish to have a login scenario, you could have a database that is used to store hash keys.

    The person rolls up to your website and is asked to provide an email address and if you want a pin number to access the file.

    Your system generates a hash key, stores it with the email in the database.

    You then have a script generate a URL using the hash key and that then gets emailed to the user.

    They then get an email with the URL to the file, that download script than asks the user to validate their email and supply a pin if generated.

    The download then starts.

    You then have the hash tag and email deleted from the database which then renders that link useless and the person then has to provide email to get a hash key which can be as simple as the users email address + the PHP time() functions value.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  6. #6
    Join Date
    Aug 2013
    Posts
    3
    You may want to try PHP HTTP Authentication. http://php.net/manual/en/features.http-auth.php

  7. #7
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,346
    Quote Originally Posted by gracerivas View Post
    You may want to try PHP HTTP Authentication. http://php.net/manual/en/features.http-auth.php
    Thats fine if you want to have a user log in but you need something to test it against which implies that the person visiting has an account.

    The same can be achieved in Apache servers .htaccess

    you can achieve the same with simple javascript but that has the vulnerability of being bypassed by browsers that don't use javascript because they either don't have it or it has been disabled.

    I have been fleshing out a system which when a request for a file is made, the system asks for an email address, it generates a hash, URL and sends an email to the address and the user then clicks the link in the email and punches in the PIN number and or email address used to obtain the link and the whole thing is one time use.

    Then any file request is not hot link-able.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles