Make the script use a database instead of text file

Oskare100

Hello,
I've a download script that "hides" the real address of files from the person who wants to download it. What I want to do is to make it use my database instead of the text file as it is using now.

Here is the full script as it looked before I started editing it:

<?php 
$allowed = 0;
include('config.php');

if($allowblank > 0) { if($_SERVER['HTTP_REFERER']=="") { $allowed = 1; }}

$domains = count($alloweddomains);

for($y=0;$y<$domains+1;$y++) {
	if((stristr($_SERVER['HTTP_REFERER'], $alloweddomains[$y]))) { $allowed = 1;}
}

if($allowed > 0) {
						$namenumberarray = file($webaddress."fileindex.txt");
						$numberoffiles = count($namenumberarray);
						$filenames = array();

					for($x=0;$x<$numberoffiles+1;$x++) {
						$temporary = explode(":",$namenumberarray[$x]);
						$tempname = explode("\n",$temporary[1]);
						$filenames[$temporary[0]] = $tempname[0];
					}

					if(!isset($filenames[$_GET['serve']])) { 
						if($logging > 0){
							$status = "ReqNF";
							include('logit.php');
						}
						echo('That number wasnt found!');
						exit;
					}

					$wantedfilename = $filenames[$_GET['serve']];


					$extension = explode(".", $wantedfilename);
					$numberinarray = count($extension);

					$lcext = strtolower($extension[$numberinarray-1]);

					//BEGIN CONTENT TYPES BLOCK. ADD OR REMOVE FILE TYPES HERE, AS SHOWN //
					//DON'T EDIT THIS UNLESS YOU KNOW WHAT YOU ARE DOING!//
					//MOST COMMON FILE TYPES ARE ALREADY INCLUDED//

					switch($lcext) {
						case ($lcext == "swf"): 
							$commonname="flash"; 
							$ct = "Content-type: application/x-shockwave-flash";
						break;
						case ($lcext == "wmv"): 
							$commonname="wmv"; 
							$ct = "Content-type: video/x-ms-wmv";
						break;
						case ($lcext == "mov"): 
							$commonname="quicktime movie"; 
							$ct = "Content-type: video/quicktime";
						break;
						case ($lcext == "avi"): 
							$commonname="avi video"; 
							$ct = "Content-type: video/avi";
						break;
						case ($lcext == "rar"): 
							$commonname="winrar"; 
							$ct = "Content-type: application/octet-stream";
						break;
						case ($lcext == "zip"): 
							$commonname="zip"; 
							$ct = "Content-type: application/octet-stream";
						break;
						case ($lcext == "bmp"): 
							$commonname="bitmap"; 
							$ct = "Content-type: image/bmp";
						break;
						case ($lcext == "gif"): 
							$commonname="gif"; 
							$ct = "Content-type: image/gif";
						break;
						case ($lcext == "jpeg" || $lcext == "jpg" || $lcext == "jpe"): 
							$commonname="jpeg"; 
							$ct = "Content-type: image/jpeg";
						break;
						case ($lcext == "mpeg" || $lcext == "mpg" || $lcext == "mpe"): 
							$commonname="mpeg"; 
							$ct = "Content-type: video/mpeg";
						break;
						case ($lcext == "png"): 
							$commonname="png"; 
							$ct = "Content-type: image/png";
						break;

						//END//

						default: 
							$commonname="Generic Filetype"; 
							$ct = "Content-type: application/octet-stream";

							if($logging > 0){
								$status = "Generic_Filetype";
								include('logit.php');
							}

					}

					$handle = fopen($webaddress.$wantedfilename, "rb");
					header("Cache-Control: "); //keeps ie happy
					header("Pragma: "); //keeps ie happy
					header($ct); //content type as set above from explode();

					if(!stristr($lcext, "swf")){//flash plays, it isnt downloaded as an actual file.
						header("Content-Disposition: attachment; filename=\"".$wantedfilename."\"");
					}

					header("Content-Length: ".filesize($path.$wantedfilename));

					fpassthru($handle);
					if($logging > 0){
						$status = "Granted";
						include('logit.php');
					}
					exit;
}

else {
	if($logging > 0){
		$status = "Denied";
		include('logit.php');
	}
	exit;
	//quiet leech kill
}
?>

As you can see in the script I want the script to hide the real download location. So I can download the file with the ID 1 by visiting "/thescript.php?serve=1" and the file with the ID 2 by visiting "/thescript.php?serve=2".

Here is the structure of the database I want it to use instead of the text file;

CREATE TABLE `files` (
  `file_id` int(11) NOT NULL auto_increment,
  `file_pack` varchar(50) NOT NULL default '',
  `file_pack_cat` varchar(50) NOT NULL default '',
  `file_cat` varchar(50) NOT NULL default '',
  `file_name` varchar(100) NOT NULL default '',
  `file_desc` text NOT NULL,
  `file_fullname` varchar(100) NOT NULL default '',
  `file_downloads` varchar(11) NOT NULL default '',
  `file_date` varchar(30) NOT NULL default '',
  `file_timestamp` varchar(30) NOT NULL default '',
  PRIMARY KEY  (`file_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

Where "file_fullname" is the full name of the file I want to download, for example; text.zip and "file_id" is the ID of the file.

The fileindex.txt (that I want to replace with the database) contained the IDs and filenames like this:

1:example.zip
2:example2.zip
3:example3.zip

I'm not that good at PHP coding so I can't see what needs to be changed to do what I want to do by just looking at the script...

Thanks in advance,
Best Regards
Oskar R

Oskare100

Hello again,
I now,after a lot of help, got it working with this script;

<?php
$allowed = 1;

include 'config.php';
include 'db_info.php';

$referrer = getenv('HTTP_REFERER');

if('' == $referrer)
{
    $allowed = ($allowblank) ? 1 : 0;
}
else
{
    $allowed = 0;
    foreach($alloweddomains as $domain)
    {
        if(substr($referrer, 0, strlen($domain)) == $domain)
        {
            $allowed = 1;
            break;
        }
    }
}

if(!$allowed)
{
    if($logging)
    {
        $status = 'Denied';
        include 'logit.php';
    }
    exit(0);
    //quiet leech kill
}

if(!isset($_GET['serve']) || $_GET['serve'] != (string) (int) $_GET['serve'] || (int) $_GET['serve'] <= 0)
{
    die('Parameter `serve` must be a positive integer.');
}

$conn = mysql_connect("$sqlhost", "$sqlusername", "$sqlpassword")
    or die('Unable to connect to MSQL: '.mysql_error($conn));
mysql_select_db('main', $conn)
    or die('Unable to select database: '.mysql_error($conn));
$result = mysql_query('select `file_fullname` from '$file_tbl' where `file_id` = "'.$_GET['serve'].'"', $conn)
    or die("Unable to perform query: ".mysql_error($conn));

if(0 == mysql_num_rows($result))
{
    die('File not found.');
}
$fileName = mysql_result($result, 0, 0)
    or die('Unable to retrieve result: '.mysql_error($conn));

$extension = (FALSE !== ($pos = strrpos($fileName, '.'))) ?
    substr($fileName, $pos + 1) :
    '';

// Content types block
switch($extension)
{
    case 'avi':
        $ct = 'video/avi';
        break;
    case 'bmp':
        $ct = 'image/bmp';
        break;
    case 'gif':
        $ct = 'image/gif';
        break;
    case 'jpeg':
    case 'jpg':
    case 'jpe':
        $ct = 'image/jpeg';
        break;
    case 'mov':
        $ct = 'video/quicktime';
        break;
    case 'mpeg':
    case 'mpg':
    case 'mpe':
        $ct = 'video/mpeg';
        break;
    case 'png':
        $ct = 'image/png';
        break;
    case 'swf':
        $ct = 'application/x-shockwave-flash';
        break;
    case 'wmv':
        $ct = 'video/x-ms-wmv';
        break;
    case 'rar':
    case 'zip':
        $ct = 'application/octet-stream';
        break;

//END//

default:
    $ct = 'application/octet-stream';
    if($logging)
    {
        $status = 'Generic_Filetype';
        include 'logit.php';
    }
}

$handle = @fopen($path.$fileName, 'rb') or die('Unable to select file.');

if(!$handle)
{
    die('Unable to transer file.');
}

header('Cache-Control: '); //keeps ie happy
header('Pragma: '); //keeps ie happy
header('Content-Type: '.$ct);

if('swf' != $extension) //flash plays, it isnt downloaded as an actual file.
{
    header('Content-Disposition: attachment; filename="'.$fileName.'"');
}

header('Content-Length: '.filesize($path.$fileName));
fpassthru($handle);

if($logging)
{
    $status = 'Granted';
    include 'logit.php';
}
?>

Now I've only one problem left with this part (hopefully) that I can't solve myself...

Different users has permission to download different files. Here is the structure of the files table again;

CREATE TABLE `files` (
  `file_id` int(11) NOT NULL auto_increment,
  `file_pack` varchar(50) NOT NULL default '',
  `file_pack_cat` varchar(50) NOT NULL default '',
  `file_cat` varchar(50) NOT NULL default '',
  `file_name` varchar(100) NOT NULL default '',
  `file_desc` text NOT NULL,
  `file_fullname` varchar(100) NOT NULL default '',
  `file_downloads` varchar(11) NOT NULL default '',
  `file_date` varchar(30) NOT NULL default '',
  `file_timestamp` varchar(30) NOT NULL default '',
  PRIMARY KEY  (`file_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

And as you can see each file has a "file_name" and some of the files belongs to a "file_pack" with several files in it.

I'm planning to store the files each user has permission to download in another seperate table with the name "user_perm", here is the structure of that table;

CREATE TABLE `user_perm` (
  `perm_id` int(11) NOT NULL auto_increment,
  `perm_user` varchar(50) NOT NULL default '',
  `file_pack` varchar(30) NOT NULL default '',
  `file_name` varchar(100) NOT NULL default '',
  `perm_date` varchar(30) NOT NULL default '',
  `perm_timestamp` varchar(30) NOT NULL default '',
  PRIMARY KEY  (`perm_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

So if a user tries to download one file with, for example, the ID 1 the script must check the "file_name" AND "file_pack" of that file. Then it must check in the "user_perm" and see if the user has permission to download either the "file_name" OR the "file_pack". In other words, it is enough if the user has permission to download the "file_pack" to which the file belongs to.

I've at least started with this (but I don't know if it is right);

$result2 = mysql_query('select `file_name` , `file_pack` from '$file_tbl' where `file_id` = "'.$_GET['serve'].'"')
    or die( mysql_error() );

Then I don't know how to check both of the things (both "file_name" and "file_pack"). AND I don't know where in the script I should add the lines.

When the user login the username and password is stored in a session with this lines;

session_register("myusername");
session_register("mypassword");

Also, Should I change the database structure or should I change something else in the structure of the system I'mn trying to build (for example with the user permission system)?

Thanks in advance,
Best Regards
Oskar R