Jump to content

  • Log in with Facebook Log in with Twitter Log In with Steam Log In with Google Sign In
  • Create Account

Tutorial info Visit support topic

  • Added on: May 18 2011 02:13 PM
  • Date Updated: May 24 2012 01:50 AM
  • Views: 1213
 


Securing your downloadable files with PHP

Handy PHP Techniques by Chuckun

Posted by Chuckun on May 18 2011 02:13 PM
Firstly, a little introduction to these tutorials. I am currently working on a clients website, and when I want to take a break, I've decided I will be posting about techniques I've used to cater for different needs, which people may find interesting.

Today, I'll be showing you how you can easily protect your downloadable media.

Why would you want to do this? Well, often we want to hide the location of the downloads, to stop people leeching your content. And most measures can be easily swerved.

Here is a method I quite like. I have annotated everything for your convenience.

Filename: download.php
<?php
$filename = "downloaded.zip"; // this is the fake name you want the downloaded file to be called.
$source = "/downloads/thefile.zip"; // this is the real name and location of the file.

if(file_exists($source)) { // check that the real file exists, if so do the following..

header('Content-type: application/zip'); // set the content type of the current page to the type of file being downloaded
header('Content-Disposition: attachment; filename="'.$filename.'"'); // Forge the download name by setting filename=
readfile($source); // grab the real file to prompt download.

} else { // if the file doesn't exist
echo "Error: File not found!"; // display error message
}
?>


So how do we use this? going to the destination: mysite.com/download.php would grab the file 'thefile.zip' from the /downloads/ folder, and prompt you to download it, but with a new name of 'downloaded.zip'

This is the simplest version of this method. Obviously with use of $_GET requests you can have download.php choose varying files from the /downloads/ folder. Example below:

Filename: download.php
<?php
$id = $_GET['file'];
$filename = "downloaded-".$id.".zip"; // will forge the name downloaded-5.zip (if download.php?file=5 is requested)
$source = "/downloads/thefile-".$id.".zip"; // will pick the real file titled thefile-5.zip (if download.php?file=5 is requested)

if(file_exists($source)) { // check that the real file exists, if so do the following..

header('Content-type: application/zip'); // set the content type of the current page to the type of file being downloaded
header('Content-Disposition: attachment; filename="'.$filename.'"'); // Forge the download name by setting filename=
readfile($source); // grab the real file to prompt download.

} else { // if the file doesn't exist
echo "Error: File not found!"; // display error message
}
?>


It gets even more advanced once you start playing with more and more security. When dealing with premium ($$$) content, it's good to use a database and give all your files a masked name, by MD5 encoding the names, storing them in a database with an assigned ID, and having download.php retreive the filename from the database to know which file to retreive. But that'd look a little messy for this tutorial Posted Image

I hope you learned something by reading this..

Thanks for reading!
Chuckun