Allow Certain Downloads Only to Users?

[kaiba]

hello im new to php/mysql, and new here. I'm trying to make a website with user database and want to restrict access to downloading certain files to members only, while not restricting access to the page itself that shows them. So basically, if a person was logged in and they went to a page and clicked on a file if they were already logged in it would start the download, but if they were not it would redirect them to a login/register page. I'd like to make it so that even if a person views source and tries to go straight to the file it would do the same thing. I'm not sure how much of this is possible, since i just started really trying to learn php and mysql the last couple of days. I just started construction on a site and wanted to figure all this out. You don't have to explain or write out all the code. I just need an explanation of if its possible and what i need to do rougly. Or what the closest thing is if thats not possible >_<; Thanks for your time all, appreciate the help. \^_^/

[Anders Moen]

You need to make a login script which checks if a user is logged in or not.

<?php// if user is logged in:echo 'Hello $username!<br /><br />You can download 10 of our files.';// if not logged in:echo 'Hello guest!<br /><br />You can only download 5 of our files.';// notice that I use echo ''; (single quotes), so you can use normal doblequotes in (X)HTML codes (")?>

Of course there are plenty of more things to fill out. I can't open FTP now, so I can't give you my login code but if you search at Google for "PHP login code" or something like that, you'll get a lot of sites with tutorials for how you can make one

[Mr_CHISOL]

First of you need some sort of user-system.Then you need a script that shows the files and information... For how to redirect the user to the right file see this topic.And in the "redirection script" you check if the file only is for users: if the user is logged in, then redirect to the file, if not redirect to login.If it's an "public file" directly redirect to the file (in the DB-table have a column like 'public' or something like that, that you check...)The important here is to link to the redirection script and don't print out the path to the file anywhere.This should work fine as long as the user's doesn't find out the direct path to the file some other way (the path will never be showned in the addressbar...). If you want a "complete" security you can't get it with php, such security is handled by the server. This is often accomplished either by a configuration of the whole server, or by .htaccess files. htaccess tutorialGood Luck and Don't panic

[kaiba]

Wow thanks for all the help Hopefully thats what i'm looking for. an example of what i was talking about is atwww.bleachexile.comeven if you go straight to the file like (example) bleachexile.com/download/anime/bleach_114.zipit will still redirect you to log in. I can't find anything in the code that explains it so i guess that means its in the back end somewhere. Thanks for all your help and advice everyone :)Edit: also just wanted to say thanks for linking that info about htaccess... i had no idea it existed (*Blush*) ; ; Interesting stuff \:)/ oh btw is htaccess only available to apache servers? Read something somewhere that said something like that. Just wanted to clear it up. Thanks.

[jlhaslip]

yes, only Apache servers use .htaccess.

[kaiba]

Thanks for the info. Reading into all of this stuff as we speak :)Does anyone have any idea how that website is doing what its doing? The ahref in the code just has a link to the file, and if you type the direct link to it in the browser it sends you to the same place as if you click on it when your not logged in (im a member). Thanks all for your help, and if anyone has some good places to read about php redirects it would be much appreciated Thank you all take care.

[justsomeguy]

They are probably using .htaccess if they are linking directly to the file. When I do stuff like this, I prefer to never show the filename to anyone, including redirecting to it. Instead of a redirect, I like to read the file data, send headers that would force a download, name the file whatever I want, and send the file data directly. This works if you are reading the file from the filesystem or if the file is stored in a database. Sending headers in PHP to do that looks like this:

header('Content-type: application/octet-stream');  //force a downloadheader('Content-Disposition: attachment; filename="yourfilename.ext"');header('Content-Length: ' . filesize($filename));readfile($filename);

This way, no one ever sees the path or the filename, even while downloading it. Instead, they see whatever name you put in the content-disposition header.

[kaiba]

They are probably using .htaccess if they are linking directly to the file. When I do stuff like this, I prefer to never show the filename to anyone, including redirecting to it. Instead of a redirect, I like to read the file data, send headers that would force a download, name the file whatever I want, and send the file data directly. This works if you are reading the file from the filesystem or if the file is stored in a database. Sending headers in PHP to do that looks like this:

header('Content-type: application/octet-stream');  //force a downloadheader('Content-Disposition: attachment; filename="yourfilename.ext"');header('Content-Length: ' . filesize($filename));readfile($filename);

This way, no one ever sees the path or the filename, even while downloading it. Instead, they see whatever name you put in the content-disposition header.

<3 justsomeguy, thanks for all the info. I'm not sure i 100% understood all of that, but i'll work on figuring it out lol. In the scenario you just said, i could have multiple links and none of them would actually downlaod until they clicked the link? Sorry if thats a dumb question, i'm still stumbling through the beginner PHP books, and don't quite understand everything yet ._. I appreciate the help, hopefully i can get this all figured out and get the ball rolling \^^/ Thanks to everyone here for the help, it is much appreciated.

[justsomeguy]

Right. The links on the page would look like this:<a href="download_file.php?id=123">And the download_file page would look up the ID in the database, get the filename etc, read the file and send it to the user. After checking if they are logged in, of course. So people could still link directly to the download page, and if someone clicked the link and wasn't logged in, it could redirect them to a login page, and then let them download.

[kaiba]

Right. The links on the page would look like this:<a href="download_file.php?id=123">And the download_file page would look up the ID in the database, get the filename etc, read the file and send it to the user. After checking if they are logged in, of course. So people could still link directly to the download page, and if someone clicked the link and wasn't logged in, it could redirect them to a login page, and then let them download.

Thanks for clearing that up! Sorry one last question ~_~ The headers and stuff that you mentioned, were those related to this technique or was that a whole diff tech. in its own that you were explaining? Thanks again, sorry to be a bother.

[justsomeguy]

The headers are how you get a PHP script to send a file to the user. If you have a script that generates an image, it will send several headers, including one that says the image type, and then send the image data. If you want to download a generic file, you send the octet-stream header, and then send the file data (the readfile function).

[kaiba]

The headers are how you get a PHP script to send a file to the user. If you have a script that generates an image, it will send several headers, including one that says the image type, and then send the image data. If you want to download a generic file, you send the octet-stream header, and then send the file data (the readfile function).

Thanks for all the responses justsomeguy. You've helped me understand some things and clear up some stuff i didn't understand right lol. You're a lifesaver <3

[kaiba]

hello again all,I've still been straining my brain trying to figure out all this from what was basically 0 knowledge on PHP and MySQL ~_~ I have a few questions still. I've looked around alot, but either its about somethign not quite like i need or i just get lost because they are totally not writing it for newbies to understand lol. My questions (some) are:Justsomeguy you mentioned storing the file in a database and using readfile. My questions are is there any major problem storing several files up to 200mb each in mysql or should i just store it in my website like normal. If in database, how do i actually store files like video and audio in the database. None of my books cover this ;_; If like normal, is there a certain place that i should place the directories to prevent direct access or something that i can do to prevent it. My problem with htaccess is that it will promt for a login box, but my site already will work on a login system. I've looked but couldn't find anything explaining how you could make htaccess check if the session is valid and if so letthem access, and if not send them to the usual sign-in/join page that i want displayed.Another quesiton is that if i used the readfile() are there any dangers with that? Someone on php.net forum was saying that readfile is dangerous, and even POST and GET where dangerous, but i couldn't understand why these were. Most likely because my skill level is too low to understand what they are saying lol T_TI'm sorry for bugging you all with this, but its a very important part to my site and holding me back greatly. Not to mention i think if i can just figure out the scheme of thigns i need to follow, learning to write the code right to follow what needs to be done might teach me mysql and php pretty well. At least i hope so lol. Thank you all for you time and help it is all very much appreciated.-kaibaEDIT: Say i have my login system in place with two or more levels of membership. On my links could i do something like this: <a href="<?php if(logged in and if level >= level) domain.com/download.php?id=id</a> Sorry if that didn't make sense, im still very new with php and haven't really wrote much. What iw as trying to say is have it check if they are logged in, and if so then continue with the download script that pulls the information from my database. If they fail one of the two checks then it sends them to the login/signup page. Would that make sense and work? >_< Or maybe if not in the actual link then would be better to put the two checks within the download.php file and if they pass start it and if not then redirect? I don't suppose that stops the direct linking problem, but since it will keep popping up that login box if i use htaccess and making things so difficult im thinking of just sayin F it. Too much of a headache and has me at a standstill atm. If anyone knows a way to make htaccess deny direct access but let my scripts and pages access it then please let me know. Thanks again everyone sorry for my poor skill level and probably obvious questions ._.

[justsomeguy]

If your files are several hundred megs, it will probably be more efficient to store them as files instead of in the database. But, to store a file in a database, you need to do a couple things. The field type for the file needs to be one of the BLOB types (binary large object), so it could be blob or medium blob or large blob or whatever you need for the size. Once you have your blob, you just store the file data in the field. You can get the file data using the file_get_contents function or by using a combination of fopen and fread. Getting the file back out of the database is as easy as sending the headers and then outputting the contents of the database field.But I recommend that you just store the files themselves. You can create a random name, for example a sha1 hash of the original name. That would give a 40-character name that would basically be unguessable, and the users would never see the actual filename. Then you would use readfile to output the file after you send the headers, instead of sending the contents of the database field. I believe that even if you have a htaccess file protecting the directory, PHP will still be able to read the file using readfile. htaccess only corresponds to web requests - Hyper Text Access - not filesystem access. People who actually use htaccess might be able to explain a little more, I've never used it.The readfile function and the $_GET and $_POST arrays are not dangerous. Unsecured code is dangerous. It is perfectly possible to write code using anything that cannot be exploited. The only exploits come from people who write code without thinking about security implications. For example, if you have a link like this:download.php?file=somefile.extwith the filename in the actual link, and you have this in the download.php file:readfile($_GET['file'])then you are just asking for problems. Someone can just do this:download.php?file=/etc/passwdAnd voila, now they know all the passwords on the server. Security is all about how you program. If you are putting something from $_GET or $_POST directly into a function like readfile, eval, system, exec, passthru, etc, you are just asking for someone to hack your program. The reason why your download script would not be affected by vulnerabilities like this is because the download page accepts a number id:download.php?file=123Looks up the filename in the database, and uses the stored filename. It is up to you to make sure that the ID is actually a number, and that it exists in the database, and other then that there are no problems. Nothing in PHP is inherently insecure, security is a direct result of the quality of the code. If you write good code, you can use readfile and exec as much as you want without worrying.