Controlling access to downloads

Anon

I'm trying to find a way secure my downloads by providing no http access. In other words, the files to be downloaded should not be accessible in any way via a URL.

In ColdFusion, I'm able to do this easily with CFCONTENT, but I can't find a way to do it in PHP. I've tried using passthru() and readfile(), but was unsuccessful with both.

How is this done in PHP?

Anon

I a llittle language english
Please helf me php,mysql lessons and helf and example

Bob Thing wrote:

I'm trying to find a way secure my downloads by providing no http access. In other words, the files to be downloaded should not be accessible in any way via a URL.

In ColdFusion, I'm able to do this easily with CFCONTENT, but I can't find a way to do it in PHP. I've tried using passthru() and readfile(), but was unsuccessful with both.

How is this done in PHP?

Anon

Presumably you don't mean what you say ... "no http access" is pretty easy to accomplish; just don't put the files on the Web. If you mean to accomplish some sort of authentication before providing the data, that's not particularly difficult.

passthru() isn't the right function for sending a file; it executes an external program and passes the output to the browser.

readfile() is the right function. If you're having trouble it's likely that you are not sending the appropriate HTTP header before calling the function. If you don't set a "Content-type" header, PHP will assume text/html, which is probably not what you want. You may also want to send a "Content-disposition" header. See http://www.nacs.uci.edu/indiv/ehood/MIME/rfc2183.txt

There also are dozens of so-called "anti-leech" scripts written in PHP; do a search and take a look.

Anon

OK, sorry for not being clear. Here's what I'm trying to achieve. Let's say my DocumentRoot is at

/data/webstuff/html

My downloads are at

/data/webstuff/html/downloads

So, if you know the name of a file in the "downloads" folder, you can just type this into your browser:

http://www.mydomain.com/download/file.zip

The problem with that is that it bypasses my security. What I want to be able to do is put my downloads here...

/data/downloads

...so that there's NO WAY you can get to the files with a URL. Problem is, I can't figure out how to provide access to those files via PHP.

Here's what I've tried. Maybe you can tell me what I'm doing wrong.

index.php calls the download script like so:

<a href="getfile.php?12">download12</a>

The number 12 is the key in the database. getfile.php looks like this:

<?php
$path = "/data/downloads";
mysql_connect('localhost', 'user', 'pass')
or die (mysql_errno() . ": " . mysql_error() . "<br>\n");
mysql_select_db('dbname')
or die (mysql_errno() . ": " . mysql_error() . "<br>\n");
$sql = "SELECT url FROM main WHERE id = $QUERY_STRING";
$result = mysql_query($sql)
or die (mysql_errno() . ": " . mysql_error() . "<br>\n");
$row = mysql_fetch_row($result);
$download = $path . $row[0];

header("Content-type: application/zip");
readfile($download);
?>

This doesn't work. What happens is that readfile tries to get...

getfile.php?12

...for some reason. I know that $download is being formed correctly, because when I comment out the last two lines and replace it with...

print $download;

...it shows me the correct value of...

/data/downloads/file.zip.

So, what am I doing wrong? I know I must be doing something dumb here, but I can't figure it out. And BTW, I've looked at many "anti-leech" scripts for the answer, but all the ones I've seen require you to have the downloads accessible via URL, and use other means to protect the content.