Hello,
So, I did this website for a client; one part gives users the opportunity
to download various documents (generally Word documents) but they have to
pay for that. We use micropayments. Upon payment, a script looks up the
file name in a database, establishes a url, and the dl begins. I want to
protect the directory the downloadable files reside in; obviously an
htaccess directive would prevent all access and thence all downloads. So
I thought of this: store the files in an htaccess-protected directory,
and when it is requested, copy it to a public directory, give it a random
name, and feed the url to the browser. To prevent files from piling up in
the download directory, I would have to set up a task (cron job?) to
delete all files whose date of creation (or last access) is more the a
given period of time. The idea here is also to prevent anyone from, say,
jotting down the file's url and access it at a date. Granted, he/she/it
did pay for the file but he/she/it could as well pass the url on to
someone else.
What do you think about that; both on the principle and on the
methodology.
Thanks
I realize it might not be the correct group to ask such a question, but
someone here perhaps has come accross a similar issue
7  1182 
Doesn't sound like an elegant solution. I'm no expert in this field,
but .htaccess wouldn't prevent you from doing this, would it?
<?php
// downloading a file
$filename = $_GET['path'];
// fix for IE catching or PHP bug issue
header("Pragma: public");
header("Expires: 0"); // set expiration time
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
// browser must download file from server instead of cache
// force download dialog
header("Content-Type: application/force-download");
header("Content-Type: application/octet-stream");
header("Content-Type: application/download");
// use the Content-Disposition header to supply a recommended filename
and
// force the browser to display the save dialog.
header("Content-Disposition: attachment;
filename=".basename($filename).";");
/*
The Content-transfer-encoding header should be binary, since the file
will be read
directly from the disk and the raw bytes passed to the downloading
computer.
The Content-length header is useful to set for downloads. The browser
will be able to
show a progress meter as a file downloads. The content-lenght can be
determines by
filesize function returns the size of a file.
*/
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
@readfile($filename);
exit(0);
?>
(yoinked from http://ca.php.net/manual/en/function.header.php by
milin_mestry at yahoo dot com)
That way you can keep the file in its current directory, as well as
rename it on download, or whatever you please, and you never even have
to reveal the full URL to the user.
On Aug 13, 3:42 pm, henribaeyens <cont...@myname.comwrote:
Hello,
So, I did this website for a client; one part gives users the opportunity
to download various documents (generally Word documents) but they have to
pay for that. We use micropayments. Upon payment, a script looks up the
file name in a database, establishes a url, and the dl begins. I want to
protect the directory the downloadable files reside in; obviously an
htaccess directive would prevent all access and thence all downloads. So
I thought of this: store the files in an htaccess-protected directory,
and when it is requested, copy it to a public directory, give it a random
name, and feed the url to the browser. To prevent files from piling up in
the download directory, I would have to set up a task (cron job?) to
delete all files whose date of creation (or last access) is more the a
given period of time. The idea here is also to prevent anyone from, say,
jotting down the file's url and access it at a date. Granted, he/she/it
did pay for the file but he/she/it could as well pass the url on to
someone else.
What do you think about that; both on the principle and on the
methodology.
Thanks
I realize it might not be the correct group to ask such a question, but
someone here perhaps has come accross a similar issue
henribaeyens wrote:
Hello,
So, I did this website for a client; one part gives users the opportunity
to download various documents (generally Word documents) but they have to
pay for that. We use micropayments. Upon payment, a script looks up the
file name in a database, establishes a url, and the dl begins. I want to
protect the directory the downloadable files reside in; obviously an
htaccess directive would prevent all access and thence all downloads. So
I thought of this: store the files in an htaccess-protected directory,
and when it is requested, copy it to a public directory, give it a random
name, and feed the url to the browser. To prevent files from piling up in
the download directory, I would have to set up a task (cron job?) to
delete all files whose date of creation (or last access) is more the a
given period of time. The idea here is also to prevent anyone from, say,
jotting down the file's url and access it at a date. Granted, he/she/it
did pay for the file but he/she/it could as well pass the url on to
someone else.
What do you think about that; both on the principle and on the
methodology.
Thanks
I realize it might not be the correct group to ask such a question, but
someone here perhaps has come accross a similar issue
....and just what is to prevent someone who has purchased the file from
simply emailing that files as an attachment or putting it on a cd or
uploading it to his own website or whatever and giving it to someone else?
I did a website like this and I pointed this out at the time, but they
wanted it anyway so I did it. After all they were paying. I put a
counter in a database which I decremented (they were allowed three
downloads), and only provided the file if downloads were available
(after a login, of course).
henribaeyens wrote:
Hello,
So, I did this website for a client; one part gives users the opportunity
to download various documents (generally Word documents) but they have to
pay for that. We use micropayments. Upon payment, a script looks up the
file name in a database, establishes a url, and the dl begins. I want to
protect the directory the downloadable files reside in; obviously an
htaccess directive would prevent all access and thence all downloads. So
I thought of this: store the files in an htaccess-protected directory,
and when it is requested, copy it to a public directory, give it a random
name, and feed the url to the browser. To prevent files from piling up in
the download directory, I would have to set up a task (cron job?) to
delete all files whose date of creation (or last access) is more the a
given period of time. The idea here is also to prevent anyone from, say,
jotting down the file's url and access it at a date. Granted, he/she/it
did pay for the file but he/she/it could as well pass the url on to
someone else.
What do you think about that; both on the principle and on the
methodology.
Thanks
I realize it might not be the correct group to ask such a question, but
someone here perhaps has come accross a similar issue
Far too complicated: use a database to store the files as BLOBS.
On 13 Aug 2008 22:42:24 GMT, henribaeyens <co*****@myname.comwrote:
>Hello,
So, I did this website for a client; one part gives users the opportunity
to download various documents
Why reinvent the wheel?
We use IPNMonitor: http://www.withinweb.com/phpipnmonitor/index.php
(but it uses PayPal IPN)
--
Locate your Mobile phone: <http://www.bizorg.co.uk/news.html>
Great gifts: <http://www.ThisBritain.com/ASOS_popup.html>
..oO(henribaeyens)
>So, I did this website for a client; one part gives users the opportunity
to download various documents (generally Word documents) but they have to
pay for that. We use micropayments. Upon payment, a script looks up the
file name in a database, establishes a url, and the dl begins. I want to
protect the directory the downloadable files reside in; obviously an
htaccess directive would prevent all access and thence all downloads.
The better way would be to store these files outside the document root,
no .htaccess needed there.
>So
I thought of this: store the files in an htaccess-protected directory,
and when it is requested, copy it to a public directory, give it a random
name, and feed the url to the browser.
Ugly and insecure (security by obscurity).
>To prevent files from piling up in
the download directory, I would have to set up a task (cron job?) to
delete all files whose date of creation (or last access) is more the a
given period of time.
Even more ugly.
>The idea here is also to prevent anyone from, say,
jotting down the file's url and access it at a date.
If it's publically available, it can be downloaded.
>Granted, he/she/it
did pay for the file but he/she/it could as well pass the url on to
someone else.
This can happen everywhere, you can't prevent that.
>What do you think about that; both on the principle and on the
methodology.
Bad idea. Store the files outside the docroot as already said, then use
a script to deliver them to the clients. The script just has to check
that the user is allowed to download the requsted file.
Micha
..oO(Mark)
>Doesn't sound like an elegant solution. I'm no expert in this field,
but .htaccess wouldn't prevent you from doing this, would it?
<?php
// downloading a file
$filename = $_GET['path'];
[...]
@readfile($filename);
Never(!) use any client data without proper validation! Do you know what
the above would allow an attacker to do? To download every file on the
entire server which is readable for the web server! This would include
important system configuration files, your own scripts, probably your
database credentials ...
Micha
On Aug 14, 10:46*am, Michael Fesser <neti...@gmx.dewrote:
.oO(Mark)
Doesn't sound like an elegant solution. I'm no expert in this field,
but .htaccess wouldn't prevent you from doing this, would it?
<?php
// downloading a file
$filename = $_GET['path'];
[...]
@readfile($filename);
Never(!) use any client data without proper validation! Do you know what
the above would allow an attacker to do? To download every file on the
entire server which is readable for the web server! This would include
important system configuration files, your own scripts, probably your
database credentials ...
Micha
Well... I'd like to say "that goes without saying", but I guess I
can't. That was a copy and paste job :p This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Avery Warren |
last post by:
I am investigating converting a wiki site to plone. I am having
a lot of difficulty finding good documentation programmatically
accessing the ZODB API.
A lot of the user feedback is centered on...
|
by: Jasmine Youngblood |
last post by:
----641010945961164232
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv=3D"Content-Type"...
|
by: Ravi |
last post by:
#define A B
#define B A
main()
{
int A=5;
float B=6.0;
printf("\n %d %f",A,B);
printf(" %d %f",B,A);
}
|
by: Vortex Soft |
last post by:
http://www.junglecreatures.com/
Try it and tell me what's happenning in the Microsoft Corporation.
Notes:
VB, C# are CLS compliant
|
by: Tony Johansson |
last post by:
Hello!
Some information to be able to have a change to answer the question.
Assume I have a large system developed in MFC.
In this system we have only C++ code so no other language exist.
This...
|
by: C# Beginner |
last post by:
I'm currently creating a database class, which contains a member called
Open(). With this method users can open different databases. When a user
tries to open a database which happens to be secured...
|
by: www.douglassdavis.com |
last post by:
I'm looking for advice here, and I would really appreciate it if you
could help.
Is there a VB 2005 book that you like and would recommend (and why)?
Would you consider it good for...
|
by: =?Utf-8?B?TWljaGVsIFBvc3NldGggW01DUF0=?= |
last post by:
In my opinion rethrowing exceptions without providing anny extra information
is a totall waste
Examples :
in my opinion wrong :
A:
Public sub DoSomeStuff()
Try
do it
|
by: Stephan Bourdon |
last post by:
Hi,
Your opinion please on the following subject: Is it acceptable to set
the width and height of an image in ems or percents in CSS?
The advantage for me is that images will scale up or down...
|
by: cephal0n |
last post by:
Hi All!
First of I apologize for my previews post needing help on union select and not providing so more explanation, but thank you very much for your opinion and sugestion. I have thought about my...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
