ColdEdge Posted July 19, 2010 Share Posted July 19, 2010 Hi, I am trying to make a secure download system. Not in the sense of SSL but in the sense that it prevents direct file hot linking.I so far made this script which fails can some one help me? The header MINE type seems to be incorrect always and I am not sure what I would need to do in order to pull the MINE type. <?phpheader("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the pastinclude 'db.php';$query = mysql_query("SELECT * FROM files WHERE fileid = '".$_GET['cf']."' AND fileToken = '".$_GET['token']."' AND seed = '".$_GET['seed']."'");$obj = mysql_fetch_array($query);$fileObj = $obj['file'];$filename = $fileObj;header("Content-Type: video/mpeg"); header("Content-Disposition: attachment; filename=\"".$filename."\";");?> Link to comment Share on other sites More sharing options...
23.12.2012 Posted July 19, 2010 Share Posted July 19, 2010 Are you sure it's a MINE type and not MIME type? Link to comment Share on other sites More sharing options...
Guest FirefoxRocks Posted July 19, 2010 Share Posted July 19, 2010 I would recommend using a $_SESSION variable on your page to click to download, and checking the variable on the actual download page (the code you posted above). If the $_SESSION variable is not set then that means they came from a different page.You can also check for Referer headers but that method is unreliable as they can be spoofed, they may not be sent by the browser (e.g. Opera), or they may be stripped out by antimalware/firewall software. Link to comment Share on other sites More sharing options...
ColdEdge Posted July 19, 2010 Author Share Posted July 19, 2010 I am personally not sure. I achieved one thing thats for sure the file location in Opera is displayed to be coming from the string so here is an example of how the string works.first of I have download.php page with all of its scripts. It query's the url for ?cf= which is file id, &token= md5 of filename, &seed sha 512 of filename. Upon assuring that token and seed as well as cf of file exist the file is called.I am not sure if the problem is in the part that the header("Content-Disposition: attachment; filename=\"".$filename."\";"); can't read eg; http://localhost/m/data/video.mp4 since the $fileObj which is used by $filename is just a query to get the file info from MySQL the file row in MySQL is just the direct path to the file, on the localhost server. The other problem that seems to be happening is when you go to the download page the code I posted first in this topic forces the download.php file to be downloaded. So, ye this is my problem. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.