i am using PHP to connect to a MySQL Database and customers can login to my website and it lists rows form a table based on their login etc.
I need to be able to display a link to a file name in the database but i don't want users to be able to see the link to the file.
for example, they can download file 1234.pdf and if they can view the actual link, they might think of going to the same location but doing file 5678.pdf which is only meant for another user to download.
so basically i want to hide the link in a long string or something but i'm not sure where to start - any ideas?
Thanks
EDIT:
lets say Customer A logs in, they can view rows from table1
TABLE1
customer file_link
A 1234.pdf
A 5678.pdf
B 8765.pdf
B 4321.pdf
so, i dont want customer A to be able to view the links for customer B.
i mean, if customer A hovers over a link and can see the main file path they can type this in their web browser and then change the file name (guess it) to something else and download another customers file(s)
if you're planning on not letting others see the file links then you probably wouldn't want search engines to see them as well. A typical way of forbidding users from trying out such stuff is to have a specific page that flushes the file instead of linking directly to the file. E.g.,
Download
then in download.php you could check user permissions and make the browser download the file.
<?php
$file = 'file1234.pdf';
$file_url = 'http://www.test.com/files/' . $file;
header('Content-Type: application/octet-stream');
header('Content-Transfer-Encoding: Binary');
header('Content-disposition: attachment; filename="' . $file_url . '"');
readfile($file_url);
die();
?>
I think this is what you'll need.
Related
I on a system where site owners can load securely pdf documents into a document bank based on their category, ei: meeting related documents, ebooks, reports, etc. The system loads them into a directory based on the category in which they were assigned at the time of the upload. This means not all pdf documents will be in the same sub-directory as each category has its own sub-directory in which it stores its files. When the site owner, from the frontend, views a list of all the documents in that category and clicks on the document, currently it opens a modal that allows them to view the file data and download the file; but it doesn't allow them to view the pdf file prior to downloading or simply to print instead of downloading. What I am trying to do is write a php code that will dynamically pull the correct pdf and display it in an iframe on the corresponding download page for the owners to view. These are the various ways I've attempted this, each one failed.
MODIFIED Version 1.0 failed:
<?php
$file = 'docstation/$parent_type/$parent_id'/$id;
$filename = '$file_name'; /* Note: Always use .pdf at the end. */
header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="' . $file_name . '"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));
header('Accept-Ranges: bytes');
#readfile($file);
?>
EXPLANATION: The real path is docstation/com_docstation/97/...
1-> 'docstation' being a directory that sits on the root of their site
2-> '$parent_type' = 'com_docstation' referenced in the sql table as the method of upload (another method is via an attachment to an article, so i'd need this to be dynamic too)
3-> 'parent_id' = '97' the id of the category which would also equal the name of the sub_directory the file is actually stored in, aka '97'
4-> 'id' = being the id of the document
I thought fore sure this would work but it didn't
MODIFIED Version 1.1 failed:
<?php
echo "<iframe src=\"http://docs.google.com/gview?url=docstation/$parent_type/$parent_id'/$id\" width=\"100%\" style=\"height:100%\"></iframe>";
?>
This didn't either. I'm open to suggestions. All I know is that I can't put a real path in there because the path will vary from one document to another based on the method of upload and the category assigned.
Anyone got any suggestions?
Dorothy
I have a web page in which user was given certain input methods to fetch data from database. data will be displayed on web page.
I want to store data that user fetched data from my s-q-l database into an excel file.
command i'm using is given below
$excelquery1="SELECT * FROM excel12 INTO OUTFILE 'D:/Downloads/xyz.csv'";
$excelresult1=mysql_query($excelquery1);
it is running ok and data being fetched will be stored in a new file created in Downloads folder with a name xyz.csv
but user have to go manually to that location to check file.
how is it possible that user must be shown downloaded file in the download bar. + I also want to ask that if the xyz.csv is already present in the location when the query execute so in that scenario this query won't get execute saying file already present. so how to tackle this problem ?
how to give unique file name to the file that will be created..
This is the main idea. You need to adequate the code to your need
$file="/path/to/file".date("YmdHis").".csv"; //file location
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Content-Length: ' . filesize($file));
readfile($file);
I need a method to protect the download URL of a file from being seen by the downloader.
The idea is that the user is given a download link after paying, but to stop them spreading the URL among their friends who haven't paid.
What are some common solutions to this? Possibly changing file name?
(I can do PHP, and mySql this post is for methods really)
If users have an account on your site, stock in your DB if they paid the download. Then give them a link such as download.php where you verify if they paid, and if yes, do a location to the file. Example for a .pdf :
if($userpaid === true) {
$filename = 'congrat-you-paid-it.pdf'; //Name to display
$file = './download/pdf/secretlink.pdf';
header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="'.$filename.'"');
header('Content-Length: ' . filesize($file));
#readfile($file);
exit;
}
One solution could be to use SESSION or a similar temporary storage and generate download URLs at run-time. So clicking on the URL again may not work.
Also, direct access to the files should not be allowed.
Create a token. Store at your end and send with file URL as well. When user clicks the URL match the token and allow the download, then remove token from your storage.
You've to generate new token every time registered user wants to download though.
Use sessions is quick and easy, for better security, what you can do is:
Put the actual file in a separate folder and put a .htaccess in it to
only allow the script to access that file.
Then generate a random unique variable
Then make a temp file with that name and give the link to it to the
client
Finally run a cron job to delete the unnecessary created files.
I am working on a project where the user would be able to buy media files.
after the payment is processed I would like to allow them to download the file.
I guess it is safe to say that I should have a temporary link to the files. one that is linked to the IP of the user and perhaps a timestamp?
the problem is I dont know where to start with that.
First of all. is this the way to do it? if so..how do I proceed using php. ( i guess I dont need the exact script just hints on how to do it although if there is an existing script I would not mind)
thank you.
Since you are going to handle the file in PHP you might aswell use a login to check if the user has purchased the file, other than that the code should look a little like this:
header('Content-Type: application/force-download');
$file = new File(intval($_GET['id']));
$fileLocation = dirname(__FILE__) . "/../../upload/fileArchive/" . $file->id . "." . $file->type;
header('Content-Length:' . filesize($fileLocation));
header("Content-Disposition: inline; filename=\"".$file->name."\"");
$filePointer = fopen($fileLocation,"rb");
fpassthru($filePointer);
Taken from production and tested
I wouldn't tie the temporary link to an IP, it isn't very user-friendly solution.
Store the purchased media in a table for example:
Media id (This refers to an another table where the media details described)
Unique token (This will identificate the purchase)
Client id
Total downloads (Maybe you want to enable the download 5 times)
Token expiry (If you want to limit the access on this)
The download url must contain the unique token and some more data (user's hashed e-mail, etc.) to make the url more unique and more secure.
Sample URL: http://example.com/purchase/nc9o32ocrn8of4nv348/989934ov9344b
First hash holds the purchase itself while second one identifies the user. On successful identifying you can serve the file like Kristoffer said.
header('Content-Type: application/force-download');
$filee = "r.txt";
$fileLocation = dirname(__file__).'/the_sub_folder_for_file/'.$filee;
header('Content-Length:' . filesize($fileLocation));
header("Content-Disposition: inline; filename=\"".$filee."\"");
$filePointer = fopen($fileLocation,"rb");
fpassthru($filePointer);
I want to prevent downloading the zip file from my site. Only allowed for some times(at the time of payment). How can it me possible to expire that link or somthing like that to prevent my zip files.
How the rapidshare.com working? we can see the url but not possible to download ??
look at my answer and the comments on this question What is the best method to hide a file on a server? .. this is an idea and may work well for u , if u find it interesting and you agree with it
Edit:
As for how rapidshare works , i think u can hold the time when u want the actual download to happen in session and disable the link button with javascript on the UI , so even if they find the link and they goto it , you can check the time against the session time and redirect them elsewhere.
I am assuming only a registered member can download? You can store the time of payment in a database. Then the download can be accessed through a url like this: http://myhost/download-file.php?file=the-file-name.smthn
When the user goes to this url do all the credential checks like user name and password and the time he has paid. If he is allowed to download fetch the file and output to the browser like so:
$file = file_get_contents('dir-inaccessible-through-web/the-file-name.smthn');
header('Content-disposition: attachment; the-file-name.smthn');
// optionally
$size = strlen($file);
header('Content-length: ' . $size);
echo $file;
Note that the actual file is inaccessible to the web.