Shield Download URL

mrchuckles2002

Hi,

I hope someone can help me with this, I have the filenames of songs want to allow people to download in a mysql database.

I need a little bit of code that will take the id number of the song and begin the download of the file, without revealing the full url of where the download is coming from, in the page or in the code.

i.e. you goto downloadtune.php?tune_id=4
then the file downloads

I was also hoping for a little delay of say 5 seconds before the file downloads.

Any help will be most appreciated.

Thanks.

devinemke

here's the basic idea (if you want a 5 second delay then use [man]sleep[/man])

<?php
if (!isset($_GET['song_id']) || (isset($_GET['song_id']) && !$_GET['song_id'])) {exit('missing song_id');}

mysql_connect('host', 'username', 'password') or exit(mysql_error());
mysql_select_db('songs') or exit(mysql_error());

$result = mysql_query('SELECT filepath FROM songs WHERE song_id = ' . $_GET['song_id']) or exit(mysql_error());
if (mysql_num_rows($result))
{
	$filepath = mysql_result($result, 0);
	header('Content-Disposition: attachment; filename="' . $filepath . '"');
	header('Content-Length: ' . filesize($filepath));
	readfile($filepath);
	exit();
}
else
{
	exit('song_id not found in database');
}
?>

toplay

devinemke's example is good, however, I would suggest that you add a bit of extra security measures.

For instance, check to make sure that you're dealing with a numeric 'song_id' value and that you put single quotes around that value in the query. Example:

$song_id = intval($_GET['song_id']);
$result = mysql_query("SELECT filepath FROM songs WHERE song_id = '$song_id'") or exit(mysql_error());

Without the above, a person could put this in the URL:
downloadtune.php?song_id=song_id

and force your script to select all rows from the table (overhead). It would only still send one document but would probably be the document corresponding to the first row in the (results) table.

If this was a "delete" instead of a "select", then the query would end up looking like this:

DELETE FROM songs WHERE song_id = song_id

and all rows from your table would get deleted!

Always validate user input especially something coming across in the URL.

hth.

mrchuckles2002

Thanks for the help guys but im getting:

Fatal error: Call to undefined function: mysql_num_row()

Also so I can list my results, the extension is a different field. I have $file_name and $extension. producing e.g

song1.mp3

mrchuckles2002

Ah you missed the s out!! should have realised!

I'm still havin no luck tho, the directory the files are in are not local.

Please help, it will be most appreciated.

Thanks

mrchuckles2002

Can anyone help me with this?

This is the code I am using

if (!isset($_GET['tune_id']) || (isset($_GET['tune_id']) && !$_GET['tune_id'])) {exit('missing tune_id');} 

$result = mysql_query('SELECT file_name,extension FROM themetunes WHERE tune_id = ' . $_GET['tune_id']) or exit(mysql_error()); 
while ( $rows = mysql_fetch_array($result) ) {
$file_name = $rows['file_name'];
$extension = $rows['extension'];
$filepath2 = 'http://www.site.com/$file_name.$extension';

if (mysql_num_rows($result)) 
{ 
    header('Content-Disposition: attachment; filename="' . $filepath2 . '"'); 
    header('Content-Length: ' . filesize($filepath2)); 
    readfile('$filepath2'); 
    exit(); 
} 
else 
{ 
    exit('song_id not found in database'); 
} 
}

Just getting numerous errors.

devinemke

<?php
if (!isset($_GET['tune_id']) || (isset($_GET['tune_id']) && !$_GET['tune_id'])) {exit('missing tune_id');}
if (!is_numeric($_GET['tune_id'])) {exit('invalid tune_id');}

mysql_connect('host', 'username', 'password') or exit(mysql_error());
mysql_select_db('songs') or exit(mysql_error());

$result = mysql_query("SELECT file_name, extension FROM themetunes WHERE tune_id = '" . $_GET['tune_id'] . "'") or exit(mysql_error());  

if (mysql_num_rows($result))  

{  

    $row = mysql_fetch_assoc($result);
		$filepath = 'http://www.site.com/' . $row['file_name'] . '.' . $row['extension'];
		header('Content-Disposition: attachment; filename="' . $filepath . '"');
		header('Content-Length: ' . filesize($filepath));
		readfile($filepath);
		exit();  

}  

else  

{  

    exit('tune_id not found in database');  

}  

?>

mrchuckles2002

Thanks for your help but its still not working.

I'm getting:

Warning: Cannot modify header information - headers already sent by (output started at /home/chroot/home/downloadtune.php:27) in /home/chroot/home/downloadtune.php on line 105

Warning: filesize(): Stat failed for http://www.mysite.com/airwolf.wav (errno=2 - No such file or directory) in /home/chroot/home/downloadtune.php on line 106

Warning: Cannot modify header information - headers already sent by (output started at /home/chroot/home/downloadtune.php:27) in /home/chroot/home/downloadtune.php on line 106

The file does exist...ahhh!

devinemke

the error is telling you that there is no http://www.mysite.com/airwolf.wav

mrchuckles2002

devinemke wrote:
the error is telling you that there is no http://www.mysite.com/airwolf.wav

It definatly does exisit tho! I obviosuly changed the address as I didnt want to put it on here. But the real error is:

Warning: filesize(): Stat failed for http://myweb.tiscali.co.uk/uktvindex/airwolf.wav (errno=2 - No such file or directory) in /home/chroot/home/downloadtune.php on line 106

and that file is definantly there.

devinemke

rather than using the full URL, i suggest you use the server's filesystem path: ie. /path/to/airwolf.wav

toplay

Well, the first error was produced on line 105 which is your first header() command. The "headers already sent" means prior to line 105 you have outputted something to the browser. This could be a space, tab, carriage return, HTML, etc. You must not send anything prior to the use of header(). Find where you're doing that and remove it.

In the "Content-Disposition" header you currently are specifying the whole URL and that means after the first download, the person may know exactly where the file is located and can just type that URL in their browser window to get the file from then on. The "Content-Disposition" header is suppose to just suggest a filename when the user is prompted to save the file. Use basename() to get that.

I thought you wanted to hide the URL or download location from visitors/users. This isn't going to do it (if you continue using a URL). Put all your download files off your public (web) directory and use full or relative path names instead of URL's. So, if your web directory path is /home/user/www, then make a /home/user/my_music directory or something like it and place all your wave files there.

Also, you're missing an important if not required header, and that is the "Content-Type". This header tells the web client (users browser) what type of file to expect. Example:

        $filepath = '/home/user/my_music/' . $row['file_name'] . '.' . $row['extension'];
        header('Content-Disposition: attachment; filename="' . basename($filepath) . '"');
        header('Content-Type: audio/x-wav');  // or try: audio/vnd.qcelp
        header('Content-Length: ' . filesize($filepath));
        readfile($filepath);
        exit();

hth.

EDIT: Posted too late.

mrchuckles2002

Thanks for your help guys.

I can't use the site root method ( /path/to/directory/ ) because the files are stored on a different server from the page where the user can download. (ie teh page is at www.site1.com and the files are stored at www.site2.com and are on different servers)

This is due to bandwidth restrictions, so i guess the http:// method is the only way?

Also the files are not all .wav some are .mp3 .mid or .au

toplay

It would have been nice to know this in your original post. Anyway, It's still possible but probably requires more work on your part.

The readfile() function will work fine with a URL. The problem here is the filesize() function does not work with URL's (unless you have PHP 5). Somehow you need to know the size of each file. You'll have to find that out and load that in your table along with the filename and extension.

You could try a test and leave out the "Content-Length:" header to see if it will work. However, I think as part of the HTTP/1.1 protocol standard it's required. You could add the header "Connection: close" to at least let the browser know when it's done (when not using "Content-Length:" that is).

For .mp3 use: Content-Type: audio/mp3
For .mid use: Content-Type: x-music/x-midi
For .au use: Content-Type: audio/basic

mrchuckles2002

Thanks loads for your help and patience. That Seems to work.

Thanks again.

toplay

You're welcome. But what exactly "seems to work"? Did you decide to send the "Content-Length: " header or not?