Hash and file download

brotherhewd

Hello, I have a file hosting website and I am experiencing an issue. If somebody looks in the source code they can see the direct path of the file, hence bypassing the 25 second wait time since i am using a download template file where every user sees the same download page template. One way I found of preventing that is by using hash and mod_rewrite to protect that so instead of having /downoad.php?action=2&file=filename.rar I would have /download.php?hash=10293812ihoasdsaodasd. I have coded it to have the hash directly generated and put into a database. My problem is how would I use mod_rewrite (any body have a code for that) and what would i put in the download.php and the download-summary.tpl.php to have hash used to retrive the files. The database is setup I am needing help with the download part and the mod_rewrite part.

Thanks

jpr

In general, you would want to store each hash in the database, with the file address that corresponds to the hash. Then the hash is sent to your download script. In the download script, you can use the file() functions to read the data, and send headers to push the file to the client. That way they wont see the address of where the file is coming from. This is the basic idea of how I operate my downloads section.

Jason

brotherhewd

humm, I guess what i did was wrong then, I have no clue how to do this. You do not have to but if anyone have any codes that would do that could you please post it.

I am not knowledgeable in php and find even your explanation hard to understand.

Thanks.

jpr

In theory something like this should do the trick.

database structure

-----------------------------------------------|
| hash          | file_address
|----------------------------------------------|
|98f98d7f     | /secure/files/file1.exe   |
----------------------------------------------- |

download.php

<?php

$hash = _REQUEST['hash'];
//select file_address from db where hash  = $hash
//set file_address to $file_address

$filedata = file_get_contents($file_address);
$filetype = filetype($file_address);
$filesize = filesize($file_address);
$filename = "downloaded file name"; //This can be stored in the db, or you can extract the last part of the file name off of the file address

Header("Content-type: $filetype");
Header("Content-length: $filesize"); 
Header("Content-disposition: attachment; filename=$filename");
echo $filedata;

?>

brotherhewd

My current download.php is the one written by Brit and looks like this

<?PHP 
session_start(); 
# Download script with rewrite. 
# 21.11.2005 
# Author - Brit 
# PHPBuilder thread ID - 10312677 
# REQUIREMENTS: You require mod_rewrite via .htaccess 
# VARIABLES: ?action= "1=Summary display, 2=Download" & file= "filename.zip.html" 
REMOVED FOR SECURITY

/*************************************************************************************/ 
/* The rest of the script which you shouldn't need to change, happens below this break 
/*************************************************************************************/ 

/*************************/ 
/* Force a download for user 
/*************************/ 

function doDirectDownload($fileToDownload) 
{ 
    /* Start by making sure the file actually exists */
    if(checkExistenceOfFile($fileToDownload))
    { 
        /* If your web server has output compression enabled (quite common) this needs to be */ 
        /* disabled in order for MSIE to obey our Content Disposition header */ 
        if(ini_get('zlib.output_compression')) 
        { 
            ini_set('zlib.output_compression', 'Off');
        } 

    /* Get the file size */ 
    $fileSize = filesize(sprintf("%s/%s",FILESTORE_BASE,returnActualFilename($fileToDownload))); 

if ($_SESSION['loggedin'] != TRUE) {

    /* Check if user has exceeded limit */

    $connect = mysql_connect(DB_HOST, DB_USERNAME, DB_PASSWORD) or die('Failed to connect to database: ' . mysql_error());
    $db = mysql_select_db(DB_NAME) or die('Failed to select database: ' . mysql_error());
    mysql_query('DELETE FROM downloads WHERE time <= (UNIX_TIMESTAMP() - 3600)');
    $c_query = mysql_query('SELECT SUM(filesize) AS totaldownload FROM downloads WHERE id="' . session_id() . '" GROUP BY id');
    $c_query = mysql_fetch_assoc($c_query);

    if ($c_query['totaldownload'] + $fileSize >= (DAILY_LIMIT * 1024 * 1024)) {
        header('Location:' . LIMIT_EXCEEDED);
    exit; 
    } else {
        mysql_query('INSERT INTO downloads (id,filesize,filename,time) VALUES ("' . session_id() . '", "' . $fileSize . '", "' . returnActualFilename($fileToDownload) . '", UNIX_TIMESTAMP())');
    }
    mysql_close();
}

    /* Set the timelimit to zero, to prevent timeouts */ 
    set_time_limit(0); 

    /* Set the headers required to force a download. Explanation after each for reference */ 
    header("Pragma: public");
    header("Expires: 0"); 
    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
    header("Cache-Control: private",false);
    header("Content-Type: application/octet-stream");
    header("Content-Disposition: attachment; filename=\"".returnActualFilename($fileToDownload)."\";");
    header("Content-Transfer-Encoding: binary");
    header("Content-Length: ".$fileSize);

    /* Read in the original file and present dialog to user */
    if($_SESSION['loggedin']) { 
        readfile(FILESTORE_BASE."/".returnActualFilename($fileToDownload)) or die("File not found."); 
    } else { 

        flush();

        $fd = fopen(FILESTORE_BASE."/".returnActualFilename($fileToDownload), "r") or die("File not found.");
        while(!feof($fd)) {
            echo fread($fd, round(SPEED*1024));
            flush();
            sleep(1);
        } 
        fclose ($fd);
    }
} else {
        exit;
}
}

/*************************/ 
/* Return the actual file name based on _GET vars 
/*************************/ 

function returnActualFilename($fileToDownload) 
{ 
    /* NOTE: this relies on you ensuring you are using the FILENAME.EXTENSION.html form! */ 
    return substr($fileToDownload,0,-5); 
} 

/*************************/ 
/* Check to see whether a file exists 
/*************************/ 

function checkExistenceOfFile($fileToDownload) 
{     

    /* See whether the specified file is available, and can be read. If not, return false. */ 

if(!is_file(sprintf("%s/%s",FILESTORE_BASE,returnActualFilename($fileToDownload))) || !is_readable(sprintf("%s/%s",FILESTORE_BASE,returnActualFilename($fileToDownload)))) 
{ 
    header(sprintf("Location:%s?error=404&file=%s",FILE_NOT_EXIST,returnActualFilename($fileToDownload))); 
    exit; 
} 
/* Otherwise, return true */ 
else 
{ 
    return true; 
} 
} 

/*************************/ 
/* Show initial download options 
/*************************/ 

function displayFileForDownloadSummary($fileToDownload) 
{ 
    /* Check to make sure the file exists and can be read */ 
    if(checkExistenceOfFile($fileToDownload)) 
    { 
         if($_SESSION['loggedin']) { 
          $wait_time = 0; 
         } else { 
          $wait_time = 31; 

     }

    /* First, open the summary template and get it into a string we can work with */ 
    $summary_template_file = sprintf("%s/%s",TEMPLATE_BASE,FILE_DOWNLOAD_TEMPLATE); 
    $summary_template = fopen($summary_template_file,"r"); 
    $summary_template_contents = fread($summary_template, filesize($summary_template_file)); 
    fclose($summary_template); 

    /* Now replace relevant spacers with file data */ 
    $summary_template_contents = preg_replace('/{FILE_TO_DOWNLOAD}/', returnActualFilename($fileToDownload), $summary_template_contents); 
    $summary_template_contents = preg_replace('/{FILE_TO_DOWNLOAD_LINK}/', $fileToDownload, $summary_template_contents); 
    $summary_template_contents = preg_replace('/{WAIT_TIME}/', $wait_time, $summary_template_contents); 

    /* Render summary with relevant content to user */ 
    echo $summary_template_contents; 
} 
else 
{ 
    exit; 
} 

} 

/*************************/ 
/* Start relevant function based on _GET variables 
/*************************/ 

function startDownloadProcess() 
{ 

if(!isset($_GET["action"]) || strlen($_GET["action"]) > 1 || !isset($_GET["file"])) 
{ 
    /* Chances are, someone is calling the script direct, or doing something odd, so exit */ 
    exit; 
} 
else 
{ 
    switch($_GET["action"]) 
    { 
        case 1: /* Display the file summary page */ 
        displayFileForDownloadSummary($_GET["file"]); 
        break; 

        case 2: /* Force file download */ 
        doDirectDownload($_GET["file"]); 
        break; 

        default: 
        exit; 
        break; 
    } 
} 

} 

startDownloadProcess(); 

?>

How would I integrate that into this code? and what about mod_rewrite? because I want it to be like yourdomain.com/HASHCODEHERE instead of yourdomain.com/uploads/filename.rar.html (by looking at the source users can get the direct path)

Right now, users are directed to a download summary page named download-summary.tpl.php and that page gets the information from the download.php that I posted above.