Connecting Tech Pros Worldwide Help | Site Map
bytes > groups > PHP

file protection

 
LinkBack Thread Tools Search this Thread
  #1  
Old December 22nd, 2005, 09:25 PM
Yannick Benoit
Guest
  
Posts: n/a
Default file protection
Hi !
anyone can tell me a way to protect files from being downloaded from other
sites using php ?

Thanx

Yang

  #2  
Old December 22nd, 2005, 09:55 PM
Andy Hassall
Guest
  
Posts: n/a
Default Re: file protection
On Thu, 22 Dec 2005 17:01:55 -0500, "Yannick Benoit" <yanglike@sympatico.ca>
wrote:
[color=blue]
>anyone can tell me a way to protect files from being downloaded from other
>sites using php ?[/color]

Bear in mind that sites don't download files - clients do. Do you really mean
you want to prevent other sites linking to your files?

You could put the files behind some sort of login system.

Checking HTTP_REFERER will no doubt be mentioned, but this is unreliable -
browsers are under no obligation to send the header, or populate it with the
correct value. It might be reliable enough for your needs; I don't know what
the numbers are on how many browsers send real referrer values, at a wild guess
I'd say maybe 75%? To avoid annoying legitimate users, it should accept blank
values for HTTP_REFERER, and only reject values that don't match your site, if
you choose this method.

--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
  #3  
Old December 22nd, 2005, 10:15 PM
Iván Sánchez Ortega
Guest
  
Posts: n/a
Default Re: file protection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yannick Benoit wrote:
[color=blue]
> anyone can tell me a way to protect files from being downloaded from other
> sites using php ?[/color]

Don't put the files in the document root of your webserver, use readfile()
or a silimar function to provide the file, and check the HTTP referrer.

- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

Cuando la sociedad esté preparada intentaré ser diferente.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDqyvv3jcQ2mg3Pc8RAqzQAJ0dRn3xQIE96Y5846olJp jF9vonFwCfQ0sJ
iDfrPwGs+//E+EOwGNt6zI8=
=Wo2K
-----END PGP SIGNATURE-----
  #4  
Old December 22nd, 2005, 10:45 PM
Yannick Benoit
Guest
  
Posts: n/a
Default Re: file protection
H!
I know I could use login and check http_referers.
But when the person gets to download the file then he
has the direct link to the file so later he doesnt have to
login anymore. That is when I want to prevent.
I dont want people to be able to downlaod the file directly
without being authenticated.

Thank you for your help.



"Iván Sánchez Ortega" <i.punto.sanchez--@rroba--mirame.punto.net> wrote in
message news:uomr73-bna.ln1@blackspark.escomposlinux.org...[color=blue]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yannick Benoit wrote:
>[color=green]
>> anyone can tell me a way to protect files from being downloaded from
>> other
>> sites using php ?[/color]
>
> Don't put the files in the document root of your webserver, use readfile()
> or a silimar function to provide the file, and check the HTTP referrer.
>
> - --
> - ----------------------------------
> Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
>
> Cuando la sociedad esté preparada intentaré ser diferente.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFDqyvv3jcQ2mg3Pc8RAqzQAJ0dRn3xQIE96Y5846olJp jF9vonFwCfQ0sJ
> iDfrPwGs+//E+EOwGNt6zI8=
> =Wo2K
> -----END PGP SIGNATURE-----[/color]
  #5  
Old December 22nd, 2005, 11:15 PM
Bob Smith
Guest
  
Posts: n/a
Default Re: file protection
On 12/22/2005 6:21 PM, Yannick Benoit wrote:[color=blue]
> H!
> I know I could use login and check http_referers.
> But when the person gets to download the file then he
> has the direct link to the file so later he doesnt have to
> login anymore. That is when I want to prevent.
> I dont want people to be able to downlaod the file directly
> without being authenticated.[/color]

Go through a login script the first time and set a cookie with authentication
info. The next time the login script is run, check for the cookie first, and,
if authenticated, skip the login.

This allows a user to save a link to a file (perhaps as
http://www.example.com/login.php?file=secret.txt) and load it anytime. She
needs to authenticate explicitly the first time only; thereafter the
authentication is done silently.

--
_________________________________________
Bob Smith -- bsmith@sudleydeplacespam.com
a.k.a. bsmith@dequalitasspam.com

To reply to me directly, delete "despam".
  #6  
Old December 22nd, 2005, 11:55 PM
Pedro Graca
Guest
  
Posts: n/a
Default Re: file protection
Yannick Benoit wrote:[color=blue]
> anyone can tell me a way to protect files from being downloaded from other
> sites using php ?[/color]

You may want to take a peep at
http://www.php.net/unlink

SCNR



Or even readfile @ http://www.php.net/readfile

Put the files outside the web directory, validate the access and serve
the files (or not) with readfile().


<?php
$done = false;
if ($_SESSION['ok_to_download']) {
$filename = convert_id_to_filename((int)$_GET['id']);
clearstatcache();
if (($filename !== false) && (file_exists($filename)) && (is_readable($filename))) {
// send headers
// readfile($filename);
$done = true;
}
}
if (!$done) {
header('Content-Type: text/plain');
echo 'You can\'t do that now.';
}
?>
--
Mail to my "From:" address is readable by all at http://www.dodgeit.com/
== ** ## !! ------------------------------------------------ !! ## ** ==
TEXT-ONLY mail to the whole "Reply-To:" address ("My Name" <my@address>)
may bypass my spam filter. If it does, I may reply from another address!
  #7  
Old December 23rd, 2005, 01:25 AM
Gordon Burditt
Guest
  
Posts: n/a
Default Re: file protection
>I know I could use login and check http_referers.[color=blue]
>But when the person gets to download the file then he
>has the direct link to the file so later he doesnt have to
>login anymore.[/color]

So make sure the *ONE* and *ONLY* URL that can be used to retrieve
the file checks whether the person is logged in.
[color=blue]
>That is when I want to prevent.
>I dont want people to be able to downlaod the file directly
>without being authenticated.[/color]

Put the actual file outside the document tree so the web server
will not serve it directly with any URL. Install in the document
tree a PHP page that checks that the user is logged in, then generates
an appropriate content-type header, then serves the file by calling
fpassthru(). The file can be anything you want: image, executable,
virus, .zip, or whatever, and its being binary won't hurt.

This is the URL you give to a user. The user can post it on the
Internet if he wants to, or you can let Google index it, but assuming
you properly wrote your login check, nobody can get the file unless
they are logged in.

I recommend the uses of PHP sessions for handling logins, but there
are other ways that work also.

Gordon L. Burditt
 

Bookmarks

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Popular Articles

What is Bytes?

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 220,989 network members.
Quick Browse:
Communities / Archives
XML / CSS | HTML | Javascript | PHP | Perl | Visual Basic | Python | C++ / C | Java | .NET / C# / VB / XML / ASP.net | ASP
PostgreSQL | MS SQL | Oracle | IBM DB2 | MS Access | MySQL

About Bytes | Sitemap | Privacy Policy | Terms of Use
Copyright 1995-2008 Bytes.com. All rights Reserved