Page 1 of 3

How to protect a download ?

Posted: Wed Jul 22, 2009 4:02 pm
by ciberyan
Hello to all here

I have a reluctant problem solved for the moment by a simple HTACCESS
I have page with lot of download links
I DONT want to protect these paged themselves but the action of download
HTACCESS do the job but visitor has to enter pass and login for each files which is a pain
I look for a way to login on the website and to give access to the download
Everything I see is to protect page that contain the download links ant that's not what I look for.
I want the visitor know what he can find on the web site. I just want he register to get acces (validate) the dowload link itself

I hope to be clear ..

Thanks in advance for your attention

Posted: Thu Jul 23, 2009 8:56 am
by Navaldesign
Well, there are ways to do what you want in WB.

Create a page with the download links. The links should have this format:

download.php?id=1
download.php?id=2
etc,

where 1, 2 ........ n are integer numbers each one corresonding to each of the files that you want to allow download.

Then, create a php file with this code:

Code: Select all

<?php
error_reporting(0);

session_start();
if(!isset($_SESSION['username']))
{
   header('Location: deny_page.php'); // Replace "deny_page.php" with your actual denial page name
   exit;
}
$folder = "strangefoldername"; // This is the folder where your files are, make its name rather strange like "hJ68bkG9"

$file[1]= "filename1.pdf";
$file[2]= "filename2.doc";
$file[3]= "filename3.xls";
// Add as many as necessary

$file_name = $file[intval($_GET['id'])];
$file_path= $folder."/".$file_name;
$file_type = filetype($file_path);

$data = file_get_contents($file_path);
$file_size = strlen($data);

header("Pragma: public");
header('Expires: '.gmdate('D, d M Y H:i:s').' GMT');
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);

header("Content-type: Application/ $file_type");
header("Content-Disposition: attachment; filename=$file_name");
header("Content-Description: Download PHP");
header("Content-Length: $file_size");
header("Content-Transfer-Encoding: binary");

header('Expires: '.gmdate('D, d M Y H:i:s').' GMT');
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Description: File Transfer");
header("Content-type: $file_type");
header("Content-Disposition: attachment; filename=\"$file_name\"");
header("Content-Description: Download PHP");
header("Content-Length: $file_size");
header("Content-Transfer-Encoding: binary");


$file = @fopen($file_path,"r");
if ($file) {
   while(!feof($file)) {
        $buffer = fread($file, 1024*8);
        echo $buffer;
    }
  @fclose($file);
}
?>
Copy the code in Notepad, Save As, select File Type: All files, and save as download.php. Of course, you need to change the first lines to include the real filenames, as well as your deny page (the same used in your login script). In the denial page inform the user that he has to be registered and logged in, and provide a link to the registration page and the login page. OR, if you don't use the login script for other purposes, make the denial page be the login and registration page.

This code will "see" if the user is logged in, and if yes, it will "read" the file and output it to the browser as download. If not logged in, it will send the user to the denial page.

Please note that the script will fail if the stat() function is disabled (it is, in certain hosting companies, for security reasons)

If that is the case, the script should include a second array with the MIME filetypes of the files.

Posted: Thu Jul 23, 2009 3:16 pm
by Navaldesign
Demo: http://www.dbtechnosystems.com/wb6/download


Download the demo project:
http://www.dbtechnosystems.com/wb6/down ... wnload.zip


It is enough to place the files in a subfolder or in an upper level folder.
The updated download script will NOT display the folder, only the file name. So it would be quite secure.

Posted: Thu Jul 23, 2009 5:48 pm
by ciberyan
Thanks for your idea

Can you explain a little bit the format of
$file[1]= "filename1.php";

let say my file is doc.pdf

how should I write this line ?

Thanks again

Posted: Thu Jul 23, 2009 7:16 pm
by Navaldesign
Just replace "filename1.php" with "doc.pdf"

$file[1] = "doc.pdf";

If you open the download.php file included in the zip, it will become clear. Use Notepad if you don't have a php editor.

Posted: Sat Jul 25, 2009 9:27 am
by ciberyan
Thanks again for your time

Posted: Sun Aug 02, 2009 10:04 pm
by jerryco
How to make this work for the Single Page Protect object?

Posted: Sun Aug 02, 2009 10:13 pm
by Navaldesign
Replace this line:

if(!isset($_SESSION['username']))

with


if(!isset($_SESSION['password']))

Posted: Mon Aug 03, 2009 8:08 am
by jerryco
Beautiful. Thank you.

Posted: Sat Apr 24, 2010 1:01 pm
by ciberyan
Naval, sorry to come back to you again ...

Is there a way to replace the button you are using by an hyperlink (text) or an image with a link ?

Thanks in advance

Posted: Sat Apr 24, 2010 1:17 pm
by me.prosenjeet
Wow this is a real good thing to protect download links

Posted: Sat Apr 24, 2010 3:56 pm
by Navaldesign
ciberyan wrote:Naval, sorry to come back to you again ...

Is there a way to replace the button you are using by an hyperlink (text) or an image with a link ?

Thanks in advance
Certainly, you can use ANY type od link: image, text, button, anything, as long as you link it as per instructions.

Posted: Fri Sep 03, 2010 12:58 pm
by ciberyan
Hello Naval

I am afraid to need your help once more time

Everything is ok as long as file are NOT .exe type
exe type will be downloaded but extension is truncated
Any way to avoid this ??

Thanks for your valuable help

Posted: Fri Sep 03, 2010 4:32 pm
by Navaldesign
Yes, zip the .exe files.

Posted: Sat Sep 04, 2010 1:14 pm
by ciberyan
:D

Thanks anyway

Just have to redownload Mo of files ...

an "extension" version of this WONDERFUL piece of software would be great
(ie, instead of editing by hand the php file)