SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2002
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Best Method for file protection...

    Ok, I'm trying to create a sales backend for my website and I've run into a little problem. I will be selling small digital products online. A user will be registered and they will be able to download only the product that they have purchase. Once they click the download link, thier ability to download that product again is locked ( counter measure against password leakage ) and they are then directed to the file.

    My question is this, there are many ways you can 'hide' files, but which one would some of you more experienced programmers use? I've never programmed a system like this before and could use a few good pointers.

    Everything is already coded and works wonderfully, I just need the ability to cloak my products so some snoop doesn't 'wander' into my products directory.

    I did, for a moment, think that sticking them into a mysql database would work, but that would create so much overhead if the files are rather large.

    What are your suggestions?

  2. #2
    SitePoint Zealot
    Join Date
    Aug 2002
    Posts
    178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Stick the files in a directory outside the www root:
    /home/nucleuz/www/ <-- vieable from the web
    /home/nucleuz/files/ <-- NOT viewable from the web.
    So: with this you can make sure no one can access the 'files' directory from the net; the only way to get the file is to log in and get the file via a PHP script.

  3. #3
    SitePoint Enthusiast
    Join Date
    Jun 2002
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok, thats one way that I was thinking of but I get stuck at the part where you find the file under root.

    Not sure of what method to use as I've never even touched the concept.

  4. #4
    SitePoint Enthusiast
    Join Date
    Jun 2002
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hey, you're the guy who wrote that PHP 5 article, great job! Very good read!

  5. #5
    SitePoint Zealot
    Join Date
    Aug 2002
    Posts
    178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for that!!

    Something like:
    define(FILE_ROOT, '/users/nucleuz/files');
    store: '$fileName' in DB
    Then you retrieve it with : ''$file = FILE_ROOT + '/' + $fileNameFromDB;'
    Now you can send that '$file' to the client. (Apply the appropriate headers on it)

  6. #6
    SitePoint Enthusiast
    Join Date
    Jun 2002
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow, as easy as that? Thought there was some special way to access crap beneath root, but I guess not.Thanks again, bro, I think I'll go with this method.

    Should save me plenty of headaches.

    So, I guess it would be something like:

    PHP Code:
    <?php
    header
    ("Content-type: application/zip");
    header("Content-Disposition: attachment; filename=package.zip");
    readfile('/home/onelotus/whatever.zip');
    ?>

  7. #7
    SitePoint Zealot
    Join Date
    Aug 2002
    Posts
    178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Somthing like that yes
    Just make sure to tighten up that script!!

  8. #8
    SitePoint Enthusiast
    Join Date
    Jun 2002
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Naturally.

  9. #9
    SitePoint Member
    Join Date
    May 2004
    Location
    Romania
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by nucleuz
    Stick the files in a directory outside the www root:
    /home/nucleuz/www/ <-- vieable from the web
    /home/nucleuz/files/ <-- NOT viewable from the web.
    So: with this you can make sure no one can access the 'files' directory from the net; the only way to get the file is to log in and get the file via a PHP script.
    Hello,

    I have a similar problem. I don't want to do authentication with .htacess, I want to use instead a php login script. Your advice works well with downloadable files (using the headers).
    But what if I want to protect images for non-members ? And for members I want to display some images with <img tags for putting more images in a certain layout ? How can I do this if I store images outside www ? If it's not possible, how can I protect in another way the images for non-logged members ?
    I hope it makes sense. I appreciate any help.

    Thanks.

  10. #10
    Non-Member
    Join Date
    Jan 2004
    Location
    Planet Earth
    Posts
    1,764
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I believe that you could display images above the document root with something like this ?

    Code:
    ...
    <img src="doViewImage.php?img=Sample.jpg" />
    ...
    Then, the PHP page would already have the directory pathname set above the document root ?

    Don't work too much myself with dynamic images though

  11. #11
    SitePoint Enthusiast
    Join Date
    Mar 2003
    Location
    spain
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Window maker is right, you can do like that.

    doViewImage.php
    PHP Code:
    <?php
    $img 
    security_check($_GET['img']);
    $fp fopen(IMGPATH.$img'r');
    $output = @implode('',@file($fp));
    fclose($fp);

    echo 
    $output;
    ?>
    or

    PHP Code:
    <?php
    $img 
    security_check($_GET['img']);
    readfile (IMGPATH.$img);
    ?>

    that's all!!!

    IMPORTANT!!:
    - security_check() is a functions (you have to do) to avoid malicious manipulation.
    - Nothing maybe output before this script, neither session handling (cookies, etc). Because the first headers sent will be html ones, not image ones.
    - No "line break" before <?php (because html heders will be sent)

    BR
    BillyJoe
    Last edited by BillyJoe; May 23, 2004 at 16:21.

  12. #12
    SitePoint Member
    Join Date
    May 2004
    Location
    Romania
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, BillyJoe and Window Maker. Your idea works great. Thanks for the php code also, Window Maker, cause i didn't know how to do it.
    Anyway, looking on the internet, I found an interesting articol that got me an idea of another way to protect images (or other files), in case of using a php & mysql login.

    The articol is http://www.webpronews.com/webdevelop...rswithPHP.html

    The idea is:

    .htaccess:
    AddHandler content .jpg
    Action content handle_it.php

    handle_it.php:
    <?php
    session_start();
    $file = $_SERVER["PATH_TRANSLATED"];

    if ($_SESSION['username'] == 'softexp') {
    readfile($file);
    } else {
    echo '';
    }

    ?>

    So, the server executes the script when we ask him for a .jpg file. And, depending if the user is logged or not, we show him the image.
    What do you think of this method ?
    And thanks very much guys for your response. I love this community.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •