php hidden download link - php

I'm looking to make a simple PHP microsite that allows the download of one of my bands tracks in exchange for an email address. I know I could use Bandcamp but I want to do it myself ;)
I found a microsite from a band I like that does exactly what I want so I tried to pick it to pieces. The site is http://threetrappedtigers.heroku.com. This site basically gets you to enter your email address which it then must put in a database (unless it finds a match for that email address in the DB).
You can then view the download button and downloads the file without revealing the source url of the file. The href for that button is "download/" leading me to assume that there is an index.php in the download directory, which must require some sort of session id (presumably set up when submitting your email) to stop people linking directly to it. However the file also does some work that I don't know about in order to obscure the link.
The other aspect I don't understand is that on the page where the email is inputted there is a hidden input that submits a random authenticity_token when submitting the email address. I can't quite work out why that is necessary either.
Apologies for this horribly specific question but I've been trying to work it out all morning and can't quite get my head around.
Thanks,
Rich

What you can do is this:
User enters an email address
Verify (or not, depends on your wishes) by sending an email with a link that contains a token. i.e.: http://myawesomband.com/downloadtrack.php?token=asd#%$dhj123
downloadtrack.php validates the token and loads the sample track with file_get_contents() and offers it as a download (see specific headers on the php.net site)
The advantage is that the user doesn't know where the file is located (it is best if you place the sample track outside of the webroot.
[EDIT]
For your hidden input field token: This might be used to confuse bots and other scripts that will only post the 'email' field in large quantities. If the token isn't sent and doesn't match the $_SESSION['token'] value the request isn't handled. This works because scripts that do these kinds of attack generally don't accept cookies so their $_SESSION array is never reloaded.

you can have a look at this as it does what you want, either use cake or take some ideas
http://book.cakephp.org/view/1094/Media-Views
https://github.com/cakephp/cakephp/blob/master/cake/libs/view/media.php
you can see in the render() function its mostly about setting the correct header

Related

Hide part of a page for bots using captcha and limit the number of times to offer captcha

I want to hide part of a page (a div) for bots (such as Google Bot), but it should be visible to Humans.
I did quite a bit of research on the above topic but could not find a proper solution. Using the knowledge obtain from searching I came up with the following work around.
Users are offerd to solve a Google-reCaptcha
User solve the captcha and submit a request to view content
A Persistant-Cookie and a new Session-Variable is created
Above details are recorded in a database with IP and User-Agent
As long as Session is valid user can view the content
If Session is absent, but a valid cookie is present
Create a new Session-Variable and update records in the database
If cookie or session invalid
Offer reCaptcha again
So the users do not have to solve a Captcha on each visit to the site and a valid cookie can be used in different pages for the same purpose.
Any comments on how to limit the number of times a user has to solve a Captcha or any weakness of the propose method will be highly appreciated.
May i suggest you reversing the approach by making an input text box then use css to make it invisible to the human eye then during validation you check if this invincible text box has been filled ? If it has then you end validation as only a bot could have seen it, this is called Honeypot Validation.
Never depend on data from cookies all user inputs are dangerous and can be manipulated, so step 6 is wrong.
About IP address it is against the law in some countries to store IP addresses of your visitors with out their consent, make sure your users know that their IP addresses will be stored, should they decide to view and continue to use the site.

Embedded iframe - Verify source/origin of GET request

I'm seeking to utilize an iframe to embed some html in customers websites that will list some information from my database using a simple GET request like so:
// customer would copy/paste this code onto their site
// value of key would be unique key for that customer
<iframe src='http://mydomain.php/api?key=1234j1lj1hj124kh' ></iframe>
Now I want to be able to verify that the request is coming from customer that owns the key, and not just anybody who copy/pasted that code onto their page.
I've done some research and found that $_SERVER['HTTP_REFERRER'] can give me this information, but with mostly mixed reviews saying it isn't always reliable (and most of the questions I came across were a couple years old).
QUESTIONS
1.) Is this method of using an iframe/GET request the standard way of achieving this functionality?
2.) Is there a standard, SECURE and RELIABLE way to verify the origin of the GET request?
Unfortunately this is not possible in a secure way.
To answer your questions: In fact this is not a standard functionality itself. I mean, there is no standard secure way of allowing content to be loaded only through iframes from allowed websites.
There are three parties in this communication:
1) Your website
2) Customer website that loads your website's data in an iframe
3) End user visiting customer website
When an end user visits customer web site, he will perform a GET request to your website through the iframe. At this connection, 2nd party above (customer website) is not involved. In this case, there is no reliable way for your website to know whether this request is coming through the iframe or not. Only favor that party 2 does here is adding HTTP_REFERER header to end-user's request. But this header cannot be trusted.
For example, if I want to abuse this and show that content on my website, I can create a proxy page on my application, where I perform a back-end call to your app (adding a valid HTTP_REFERER header) and display results back.
Personally I would never use iFrames for this functionality. I am assuming that this has to be reasonably secure, which is why only your specified customer can view it? If for whatever reason you can't use PHP to embed the content you need to display (through the use of an "included" file for example), I would instead use AJAX which would still use any PHP user verification you have in place to dynamically load content into a secure webpage.
This is because your PHP user verification will (should!) use cookie/session information to determine which customer is viewing the page and therefore decide whether the content should be delivered, since Session variables are determined by a single unique code stored client-side, which match up to as much information as you want to collect about a user server-side (Which could include the last page they visited, which is what the "HTTP_REFERRER" variable would give you, if they came from another page on your website).
'$_SERVER' variables aren't reliable because they rely on the information given to them by the web browser when the request is made, and such information can easily be forged, by most people who have a basic understanding about how headers are sent.
In summary, use a NONCE (cookied), validate IP and user agent.
Steps:
When you deliver the outer frame, generate a unique identifier
(totally random, long string) and return that in a cookie with the
HTML content.
At the same time, note the IP and the user agent string you have
sent that unique identifier to, and store in a DB with the time.
When requesting the inner frame, assuming the same domain, the
cookie will come too. (If a different domain, you'll need to attach
the unique identifier as a visible string, but that's not really of
concern, just uglier)
If the user agent or IP do not match those you stored against the
unique string, or the request is too long (i.e. after an hour, or
whatever is reasonable for your application) or the unique string is used more than once
(or whatever other restrictions you place on it) then reject the
request and invalidate (delete) the unique identifier.
Not 100% foolproof, but just combine more options to make it less and less likely to be abused.

Executing encrypted/secure PHP/SQL script by clicking a link within an e-mail

I'm receiving e-mail from my PHP/MySQL application with certain links.
When I click on a certain link (Approve, for example) within the e-mail, I want a message to be sent back to my Application, which it'd translate into a PHP script or SQL statement to update certain fields in the database.
In order to determine which fields to update, certain user and request related information may be included in the link (user name, category, amount, etc.) but I don't want this to be seen as plain text or discovered by someone looking into the e-mail details (can it be encrypted and then decrypted by the PHP application when user Clicks back in the e-mail)
I want this to happen only if I'm clicking on the original e-mail, not if it it's a forward or reply of the original
NOTE: My Application is not SSL enabled
What components/frameworks could be used to accomplish this and ensuring a perfectly secure solution (i.e. it could be PHP web services, details on what method to use to encrypt/decrypt, etc.)
None. There is no such thing as perfect security. And if you consider that a forward may copy each and every byte of the original, it will be tricky to react differently on links in forwarded messages.
what about letting your user simply reply to the email so your original text is returned. You could be relatively sure, that the user is the only person with access to this particular email- address and you could read your secret and encrypted message from the email-text.
You could let a cronjob run every x seconds, let the php- script read the message for a string like:
<SECRET_INGREDIENT>jkbgv7&%%((Nj3js8<SECRET_INGREDIENT_END>
So php looks for <SECRET_INGREDIENT> and for <SECRET_INGREDIENT_END> and decrypts the part between.

HTML 4 Website - User submits email address to access/download a file

We have an archaic website done completely in HTML 4, and I've been tasked with coming up with a way to have the user input their email address to access/download files.
After submitting their email address, it can either take them directly to the pdf file or be redirected to a "Thank You" page that has a link to the file.
We would then be able to see a list of the email addresses & who downloaded what.
I was told server side scripting language is required. To be honest, I have basic skills in coding, and I am completely stumped by this task. Any help (explained in simple terms please) would be greatly appreciated.
Thank you!
Jen
Your solution is going to be broken down into 2 parts, both server-side. Firstly, you will need some server-side code to handle the user input, and a database to store a mapping from email addresses to file names (although this can just be a text file sitting on the server).
Server-side script
You have a world of choices when it comes to server-side scripting languages, from the insanely popular PHP, which while supported from the majority of web-hosting companies, is riddled with bad design problems and (to my mind) should be avoided at all costs. However, it is still completely adequate for your purposes.
On the other end of the scale is the lightning fast node.js, which allows you to program your web application using JavaScript; this is arguably a more pleasant means to do so, but hosting is typically more expensive and geared towards web applications with large user bases.
There are many other possible solutions in between, but for argument's sake we'll assume you use PHP.
Database
The role of the database is simply to store the relationship between the email addresses and their respective file download paths. Again, there are a whole host of different solutions, and some may argue for or against them. One of the least-trusted solutions (but unfortunately, incredibly widely supported and tightly knit with PHP) is MySQL, which again for argument's sake, we'll use.
How it works
Your web application will first of all check for any user input (i.e. the user's email address submitted from an HTML form). Then:
If the user has not submitted anything, then output a page with an HTML form on it, which might look something like this:
<form action="thispage.php" method="post">
<input type="text" name="email" value="Enter your address here" />
<input type="submit" value="Get my file!" />
</form>
When the user clicks the submit button, the entered email address will be sent to thispage.php (or whatever you decide to call this script).
If the user has submitted an email address, (i.e. the user clicked the button in the above form), then we query the database with the email address to find out where the user's file is. There are a million-and-one tutorials on how to do this - there are straightforward examples for PHP here.
Once the file path has been retrieved from the database, you can either output some HTML as a 'Thank you!' page, with a link to the PDF file, or simply redirect them immediately by using the following code, where $URL is the URL of the file.
<?php
header('Location: ' . $URL);
?>
There are again alternatives to how you do this - if you want to keep the PDF file hidden from unauthorised eyes, you can store it somewhere on the server, inaccessible to the outside world, and then simply output the contents of the file into the page. This might look something like the following, where $path is the path to the PDF file on the server's filesystem:
<?php
header('Content-type: application/pdf');
echo file_get_contents($path);
?>
I hope this gets you started. If you need any more guidance, you're already in the right place to ask!
It depends on how much protection you want. If you want to make sure the file is completely inaccessible for people who don't input their e-mail address, you can block the file with the .htaccess file (in Apache). Then make a page to retrieve the file to download if the session that you previously set up was okay. I don't think that would be necessary from what you said. The other option is to make a page with a simple form, with action="somepage.php". On that page you would then retrieve the e-mail with $_GET or $_POST (that is, if you are using PHP), then save it in the database or a text file or something. (You could even send it to your e-mail) Then:
1) If you are using the protection I mentioned before, then set the session as OK (you can do this with session_start() at the beginning of the file and then include $_SESSION["gave_email"] = 'true';). Then test that variable to see if it is true. If it is true, redirect the user to the PHP page that shows the file. (The appropriate syntax for a check like this one might look like this:
(if isset($_SESSION["gave_email"] && $_SESSION["gave_email"] == true)
//you show the content, then reset the $_SESSION variable to false
2) If you are not worried about security, then simply redirect the user to the page you want (either directly to the file or to another page that contains a link for download).
To forward with PHP you can use header('Location: page.php'), where page.php is the page you want. The whole thing seems pretty simple, so if you have some more specific question in this, please ask it.
Try google feedburner. Its allow you to valid download verification When someone subscribe on your website using feedburner then download will be possible. The feedburner subscription is refresh in every 10 hour.
http://feedburner.google.com/

verify email opened

once we send email from php using mail() function, is there any way to check either mail is open or not?
may be any type of database insertion code in email..?
or calling any function from website?
any possibility.........
i search on internet all the day but did't found any ans.
Thanks
Small images - called Web Bugs - are the only direct way as Szere Dyeri points out, but they are increasingly frowned upon and blocked by every major mail client for privacy reasons now. I would not consider them a reliable way to tell whether an E-Mail has been read any more.
There is a legitimate way to request a read receipt by adding the following header to the E-Mail:
Disposition-Notification-To: your#address.com
Sending of this notification can be turned off by the recipient of course.
Add an invisible small sized image to the email content. And, let the image point to a unique url on your website. You will know that email is opened once that url is accessed. But this will not work in email clients that does not show images in the emails by default.
I found this web service called Get Notify. They claim they do this for free but you need to verify for yourself.
The only way to do this would be to include an image in the email that resided on your server which includes a key to match to the user you are sending the email to. For example, I send an email to Joe#mail.com. In my database (or other storage system) I have Joe#mail.com matched to key 0100. In his email I include an image, like
<img src="http://www.myserver.com/image/?key=0100" />
On your server, /image/ needs to return an image, even a 1 pixel .png. Now you have the key that the user was assigned and can act accordingly.
Many people responded that adding a "tracking image" is a "frowned upon" method and 'considered "questionable" activity'.
Out of curiosity lets say we didn't include a separate tracking image but rather we included this method in an existing image like for instance added it onto your companies logo image like:
http://mycompany.com/images/logo.png?track=2742'>
At least with this method your tracking image won't get blocked by any scanning applications.
One legitimate way to do this is to only send textual information in the email asking the user to follow a link which you can then track. Something along the lines of:
//lots of good info to identify yourself/company
Thank you for your request...
Please follow this link: http://somewhere/ for tracking information
Unfortunately this leaves it in the users hands to acknowledge your request. This is considered to be the most respectful way to do it.
If your application is not public facing (i.e. an internal app for your company), then the img src method already posted is a good technique.

Categories