/    Sign up×
Community /Pin to ProfileBookmark

Securing folders

Copy linkTweet thisAlerts:
May 30.2008

Hi,

I want to be able to provide a download area to a site whereby people can download an MP3 track provided they have joined a mailing list. Now, it is easy for me to write a PHP script that checks my MySQL db to see if the email is valid and then direct them to the download but what stops people finding out the directory of the download and entering that in the URL in the first place thus bypassing any security checks etc.?

What are the ways of providing secure folders whereby PHP can only interact with the folder?

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@OriginalSymmetyauthorMay 30.2008 — Just had a thought...

Maybe storing my downloads into MySQL as MEDIUMBLOB objects?
Copy linkTweet thisAlerts:
@OriginalSymmetyauthorMay 30.2008 — Perhaps I'm making this more difficult than needs be. How about I create an ftp connection with PHP?
Copy linkTweet thisAlerts:
@OriginalSymmetyauthorMay 30.2008 — Well I have ben experimenting with the BLOB route and had mixed results...

I can succesfully upload images to the blob field but not MP3's. Anybody got an idea what is going on? I've altered the column of the blob to make it LONGBLOB so filesize is not an issue...
Copy linkTweet thisAlerts:
@LazerJun 01.2008 — Hi.

You can make the folder [B]itself [/B]PASSWORD protected by SERVER control panel.

OR

Make the PHP download page PW protected something like:

if ($pw !== "your password") {

die('download can only be done using valid password.');

}

OR

create a [B]time exipred [/B]folder and name it with the SESSION id number which is UNIQ for every broeser in your web site, and copy the file you want to allow download to this folder.
Copy linkTweet thisAlerts:
@NogDogJun 01.2008 — Store the files in a directory which is either outside of the web document root directory, or else configure your web server to not serve files from that directory (e.g. via .htaccess in Apache). Then write a file server script in PHP that will validate the user's login status, and if valid serve up the file, e.g.:
[code=php]
<?php
if(!isset($_SESSION['logged_in']))
{
header('Location: http://www.example.com/login.php');
exit;
}
$file = basename($_GET['file']) . '.mp3';
$dir = 'path/to/files/';
if(!file_exists($dir.$file))
{
header('HTTP/1.0 404 Not Found');
exit;
}
header('Content-Length: ' . filesize($dir.$file);
header('Content-Type: audio/mpeg');
header('Content-Disposition: attachment; filename="' . $file . '"');
header('Content-Transfer-Encoding: binary');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
readfile($dir.$file);
exit;
?>
[/code]
You would then access a file with a url query string for the file name, e.g.: [noparse]"http://www.example.com/scriptname.php?file=some_name"[/noparse]
×

Success!

Help @OriginalSymmety spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.28,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...