Reputation: 5148
indirect path for download files
i need to create a download section on my website , but as i concern , i want my users can only download files with indirect links , to prevent them from sharing my files on my server
such as :
http://mysite.com/download/12.zip
to
is there a way in php to do so ?
Upvotes: 0
Views: 1902
Answers (5)
Reputation: 146430
Some methods to prevent hotlinking I can think of (in growing complexity order).
Check $_SERVER['HTTP_REFERER']; if it belongs to your site or it's blank, allow download; if it belongs to other site, deny download.
Store a random ID in session when the user visits the listing and read it at download script.
Generate a temporary link with a random ID: /download-4Gaw4MWfTH6dB9UgKILSFc2UlnIPRhMv/12.zip
(I'm not sure of what you meant in your example but removing the file extension from the URL is hardly a security measure.)
Upvotes: 1
Reputation: 10340
You could stream your files trough php to the end user. This would make it possible it hide and protect your files at the same time.
Take a look at the php header page if you scroll down there will be quite a lot examples on how to stream files trough php. Most of them you can just copy and put to use.
Upvotes: 0
Reputation: 1701
reko_t is on the spot here.
If your document root is ie in /var/www/mysite you can use a folder like say /var/www/files. This will make your files inaccessible from the web. Then you have to create a download script in php. Use can use realpath to generate the absolute path if you need to use relative paths ($filename = realpath("../files/$fileid.$fileext");).
Take a look at the user comments in the readfile documentation on php.net and look for the function readfile_chunked. I am using that function in my own code. Very useful.
Upvotes: 0
Reputation: 1290
You may want to look into checking the value of $_SERVER['HTTP_REFERER'] before allowing a download to make sure they are not coming from another page.
As for hiding just do it in the form
yoursite.com/download.php?file=filename
Then in your code just readfile () the contents of a the file in a hidden directory - you can deny physical access with .htaccess if you are really concerned, or you can start the directory name with a . which will again stop outside access. It's not really necessary though as there will no way of knowing (or guessing) the hidden directory name.
As a side note if you are doing any database access and are offering large files for download you must close the database connection before the readfile () as the connection will be considered 'open' for the entire duration (even if it is a ten minute download) and it's very easy to hit the max connection limit in this situation.
Upvotes: 1
Reputation: 56430
Store the actual files outside of the public html area, then in your PHP script simply send the appropriate headers (Content-Type, Content-Length, Content-Disposition), and finally readfile() the file from the private location.
Upvotes: 0
Related Questions
- Can we set the Specific Directory for file downloads with php Code
- PHP download file from /var folder without relative paths
- Downloading file after selecting folder not directly to downloads folder in PHP
- PHP force download, download without naming the file the full path name
- download file with php
- How indirect file urls works?
- How To Download File TO Desired FOLDER/Path?
- Download files above web root and list them
- PHP Download file to specific directory
- PHP file download with symlinks