Hiding a download URL

V0oD0o

Hi there,

I'm trying to enable people to download video clips, they range anywhere between 1 and 10mb.

I want them to be able to download the file, but I don't want them to be able to see where the file is coming from, so they can't access others by guessing the URL.

Unfortunately, I am unable to place the files out of the web root.

I am linking to a page that has this PHP:

<?

  session_start();
  if (!isset($_SESSION["username"])){
    die ("You are not authed");
  }

$image = $_GET["img"];
$imageA = explode("/", $image);
$image2 = "w3irdpl4c3/". $image;


  // We'll be outputting a video for download
  header("Content-type: application/octet-stream");

  // It will be called whatever the file is called
  header("Content-Disposition: attachment; filename=". $imageA[2] ."");

  // The source
  @readfile($image2);

?>

The w3irdpl4c3 is the hidden folder that isn't echoed to the screen, this is how I have it set up for images anyways.

The problem is, when I use readfile() it reads the entire movie, before throwing up the download prompt. This is a long time if the movie is over a meg.

Any ideas?

Thanks in advance,

Mike Pearce

seby

Hi.

I have made this script and I will share it with you, use it as a base so you get an idea how to code your own, or use it as is, it's very effective.

change $file_path to the location of your files. to call a file simply use download.php?file=myfile.zip

<?php
error_reporting(E_ALL);

$file_path = '/home/public_html/files/';

if (empty($_REQUEST['file']) || !preg_match("/^[a-zA-Z_0-9]+.+[a-zA-Z0-9]+$/", $_REQUEST['file'])) {
	die('Not a valid URL.');
}

header("Content-type: application/octet-stream\n");
header("Content-disposition: attachment; filename=\"" . $_REQUEST['file'] . "\"\n");
header("Content-transfer-encoding: binary\n");
header("Content-length: " . filesize($file_path . $_REQUEST['file']) . "\n"); 

$fp = fopen($file_path . $_REQUEST['file'], "r"); 

fpassthru($fp); 
die();
?>

[deleted]

but if I use " netaunts" to download you files
I can see your files' location clearly enough!!

🙂

diego25

Not really. The script is hiding the $file_path variable. Without that, you don't know the file's location. And the PHP script that seby posted only outputs $_REQUEST['file']. it never outputs $file_path itself, so there's no way for you to know where the file is coming from....

Diego

V0oD0o

Thanks for the replies guys, although I can't seem to get the code to work.

It downloads a file which is 0 bytes.

I have a dircectory which is hidden, in this directory are sub directories:

./hiddendir/video/shoot_name/clip.wmv

The link would be:

DownloadVid.php?fileName=videos/first_shoot/blah.wmv

Here is the code from above I modified:

  session_start();
  if (!isset($_SESSION["username"])){
    die ("You are not authed");
  }
    $file = $_GET["fileName"];


error_reporting(E_ALL);

$file_path = 'hidden_dir_/';
$fileName = explode("/", $file);

if (empty($file) || !preg_match("/^[a-zA-Z_0-9]+.+[a-zA-Z0-9]+$/", $file)) {
    die('Not a valid URL.');
}

header("Content-type: application/octet-stream\n");
header("Content-disposition: attachment; filename=\"" . $fileName[2] . "\"\n");
header("Content-transfer-encoding: binary\n");
header("Content-length: " . filesize($file_path . $file) . "\n");

$fp = fopen($file_path . $file, "rb");

fpassthru($fp);
die();

This is starting to do my head in now. Help! 😃

nadeauz

Create a php file that the link will address from your users website access for each file. Locate the php files in your temp directory or other directory. Locate the files behind the root or in a hidden directory. Within the php file call on the file and load it with fpassthru. I use this type of logic in my code for digital sales delivery via email links, but it can be readily adapted for web delivery. The solution is $49.00 and can be viewed at www.pmbuildingblocks.com. There is a test download available for $.01 if you want to see it work too.

Hope this helps.