Jump to content

Securing your downloadable files with PHP

Chuckun

By Chuckun
in Tutorials

 Share

Recommended Posts

Chuckun Newbie

Chuckun

Posted
Posted (edited)

Firstly, a little introduction to these tutorials. I am currently working on a clients website, and when I want to take a break, I've decided I will be posting about techniques I've used to cater for different needs, which people may find interesting.

 

Today, I'll be showing you how you can easily protect your downloadable media.

 

Why would you want to do this? Well, often we want to hide the location of the downloads, to stop people leeching your content. And most measures can be easily swerved.

 

Here is a method I quite like. I have annotated everything for your convenience.

 

Filename: download.php

<?php
$filename = "downloaded.zip"; // this is the fake name you want the downloaded file to be called.
$source = "/downloads/thefile.zip"; // this is the real name and location of the file.

if(file_exists($source)) { // check that the real file exists, if so do the following..

header('Content-type: application/zip'); // set the content type of the current page to the type of file being downloaded
header('Content-Disposition: attachment; filename="'.$filename.'"'); // Forge the download name by setting filename=
readfile($source); // grab the real file to prompt download.

} else { // if the file doesn't exist
echo "Error: File not found!"; // display error message
}
?>

 

So how do we use this? going to the destination: mysite.com/download.php would grab the file 'thefile.zip' from the /downloads/ folder, and prompt you to download it, but with a new name of 'downloaded.zip'

 

This is the simplest version of this method. Obviously with use of $_GET requests you can have download.php choose varying files from the /downloads/ folder. Example below:

 

Filename: download.php

<?php
$id = $_GET['file'];
$filename = "downloaded-".$id.".zip"; // will forge the name downloaded-5.zip (if download.php?file=5 is requested)
$source = "/downloads/thefile-".$id.".zip"; // will pick the real file titled thefile-5.zip (if download.php?file=5 is requested)

if(file_exists($source)) { // check that the real file exists, if so do the following..

header('Content-type: application/zip'); // set the content type of the current page to the type of file being downloaded
header('Content-Disposition: attachment; filename="'.$filename.'"'); // Forge the download name by setting filename=
readfile($source); // grab the real file to prompt download.

} else { // if the file doesn't exist
echo "Error: File not found!"; // display error message
}
?>

 

It gets even more advanced once you start playing with more and more security. When dealing with premium ($$$) content, it's good to use a database and give all your files a masked name, by MD5 encoding the names, storing them in a database with an assigned ID, and having download.php retreive the filename from the database to know which file to retreive. But that'd look a little messy for this tutorial tongue.gif

 

I hope you learned something by reading this..

 

Thanks for reading!

Chuckun

Edited by Fearless Staff
  • Like 1
Link to comment
Share on other sites
  • 1 month later...
Eliel Newbie

Eliel

Posted
Posted (edited)

Unsure if you'll even see this but this is prone to an RFI (http://en.wikipedia.org/wiki/Remote_file_inclusion) or even more likely a local file inclusion attack given the current state of the code provided. I could simply exploit your $_GET variable and force download your system account usernames and passwords from the server. Of course it is a tutorial but if a user were to have used that code without any knowledge of PHP and simply just c&p, like most do, then I wouldn't advise using it as is.

Edited by Eliel
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

About Us

We are glad you decided to stop by our website and servers. At Fearless Assassins Gaming Community (=F|A=) we strive to bring you the best gaming experience possible. With helpful admins, custom maps and good server regulars your gaming experience should be grand! We love to have fun by playing online games especially W:ET, Call of Duty Series, Counter Strike: Series, Minecraft, Insurgency, DOI, Sandstorm, RUST, Team Fortress Series & Battlefield Series and if you like to do same then join us! Here, you can make worldwide friends while enjoying the game. Anyone from any race and country speaking any language can join our Discord and gaming servers. We have clan members from US, Canada, Europe, Sri Lanka, India, Japan, Australia, Brazil, UK, Austria, Poland, Finland, Turkey, Russia, Germany and many other countries. It doesn't matter how much good you are in the game or how much good English you speak. We believe in making new friends from all over the world. If you want to have fun and want to make new friends join up our gaming servers and our VoIP servers any day and at any time. At =F|A= we are all players first and then admins when someone needs our help or support on server.

Player Gaming Stats for =F|A= Servers.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept