SitePoint Sponsor

User Tag List

Results 1 to 16 of 16
  1. #1
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Port Sunlight
    Posts
    815
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Password Protected Download

    Hi,

    I have a page that has an input box on it for a password. When you press submit, I want this to download a file, but only if it is a correct password.

    Here is my download code:

    Code:
     <?php
     // format http://www.yoursite.com/download.php?file=filepath or relative path
     $filename = $_GET['file'];
     // get the file extention
     $file_extension = strtolower(substr(strrchr($filename,"."),1));
     // if no filename given ie: someone accessing the page directly
     if( $filename == "" ) 
     {
       echo "File not given";
       exit;
     } elseif ( ! file_exists( $filename ) ) 
     {
       echo "File does not exist";
       exit;
     };
     // switch the file extention to get the right type
     switch( $file_extension )
     {
       case "pdf": $ctype="application/pdf"; break;
       case "exe": $ctype="application/octet-stream"; break;
       case "zip": $ctype="application/zip"; break;
       case "doc": $ctype="application/msword"; break;
       case "xls": $ctype="application/vnd.ms-excel"; break;
       case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
       case "gif": $ctype="image/gif"; break;
       case "png": $ctype="image/png"; break;
       case "jpeg":
       case "jpg": $ctype="image/jpg"; break;
       default: $ctype="application/force-download";
     }
     // send the headers to the browser
     header("Pragma: public"); // required 
     header("Expires: 0");
     // don't cache
     header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
     // same as above
     header("Cache-Control: private",false); // required for certain browsers 
     // get content type
     header("Content-Type: $ctype");
     // set as attatchment and name the filename //
     // basename takes just the filename without any slashes etc
     header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
     // set the enc type
     header("Content-Transfer-Encoding: binary");
     // tell the browser how big the file is
     header("Content-Length: ".filesize($filename));
     // readfile erm, reads the file!
     readfile("$filename");
     // end script
     exit();
     
     ?>
    How would I adapt this to check if a correct password was entered, and if not how would I redirect them to a failed page?

    Cheers

  2. #2
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,750
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    To properly answer this, when a user is authorized are they able to access ALL downloads, or is it more specific than that?

  3. #3
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Port Sunlight
    Posts
    815
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Its ok, I think I may have it now.

    I was hoping to convert it into an Ajax type system, where on the page where the form is, it checks if the password is correct if it is, then it runs this script, if it isn't then it says password incorrect.

    Ajax may be overshooting the mark, but I plod on.

    Oh and to answer your question, there is one download, and one password.

  4. #4
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,750
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was hoping to convert it into an Ajax type system, where on the page where the form is, it checks if the password is correct if it is, then it runs this script, if it isn't then it says password incorrect.
    I'd step away from using javascript to handle authentication routines. Someone can easily turn it off and possibly override it. What you could do is have a database, say:

    id | password | filename | directory

    The code will do an SQL query on the password and the filename ( probably would be a good idea to present a form on the same page as the download link ) as a search, and select the filename and the directory. Then have it stream out the file contents to the user.

  5. #5
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Port Sunlight
    Posts
    815
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well unfortunately there is no database, but there is also only one password.

  6. #6
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,750
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh, then you could skip the whole deal and just .htaccess protect the downloads directory.

  7. #7
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Port Sunlight
    Posts
    815
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So it can be done with Ajax then?

  8. #8
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,750
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you use .htaccess you wouldn't need to deal with AJAX at all. As I said earlier, javascript for authentication is a bad idea, as people can read the code and know how it authenticates, and the question of "What happens if someone turns javascript off" comes to mind.

  9. #9
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Port Sunlight
    Posts
    815
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So is there no way that I can take this page:

    http://www.nicktoye.co.uk/test_suite...aceholder.html

    And create code that will flag a password incorrect message above the password input box?

  10. #10
    SitePoint Enthusiast
    Join Date
    Oct 2005
    Location
    ATLANTA GA
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by NickToye
    So is there no way that I can take this page:

    http://www.nicktoye.co.uk/test_suite...aceholder.html

    And create code that will flag a password incorrect message above the password input box?
    This is too simple...
    Just generate the page with a PHP script. When the page is called with no args (POST or GET) the page you see now is shown.
    Code:
        if(!isset($_POST['pw'])) {
              err = '';
              showpage();
              }
    Once a password is entered and the page submitted to the "same" script, check to see if the password is correct...

    Code:
        if($_POST['pw'] == 'mysecretword';
               download_file();
    If it is, then direct them to the file to download. If not, set the error message and redraw the page again, this time inserting $err, (set to "Password Incorrect") on the screen.

    Note: All code examples are oversimplified and incomplete...

    -Milt

  11. #11
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by NickToye
    So it can be done with Ajax then?
    What is this obsession with AJAX? There are very (very, very) few things AJAX is practical for and login systems are not one of them.

  12. #12
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Port Sunlight
    Posts
    815
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What a load of crap!

    I suppose the guys at Adaptive Path may differ with your claim.

  13. #13
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by NickToye
    What a load of crap!

    I suppose the guys at Adaptive Path may differ with your claim.
    Well personally I am pretty hot with ajax applications so I am not against using it but 90% of ajax apps are completely out of context and in my opinion this use certainly is.

    Also there are correct steps in making an ajax app. The first is to start by making an app that is fully functional with javascript switched off. Ajax should only be added as an addition to a site the works properly without it. Anything else is either lazy or cowboy coding.

  14. #14
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Port Sunlight
    Posts
    815
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I totally agree with unobrusive javascript, and javascript that degrades gracefully.

    But to say that most Ajax applications are out of context, do you mean that it is not needed and the same can be achieved by using the old school way?

    If by that rationale, we can say that any styling that we apply to websites, every image that is added to make a site look attractive to the eye is out of context, and not entirely needed.

    I think if an Ajax application can detect if your password is correct or not on the fly, then it can't be detrimental, and can only improve the users experience.

    I have seen your site, and I know that you don't believe in styling, that's your choice, and I respect that. But functional websites are only half the ingredients to a successful application, the other half is the experience.

  15. #15
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by NickToye
    I have seen your site, and I know that you don't believe in styling, that's your choice, and I respect that. But functional websites are only half the ingredients to a successful application, the other half is the experience.
    I have many websites and that is the only one that is without a design. Every website has a purpose and the purpose of that site is purely to test PHP scripts and show them to friends. Nevertheless the site is hugely popular and is ranked number one at Google for over one hundred terms and in the top ten for over six hundred since the beginning of May, (not bad for a test bed site).

    To me it seems as if you are saying the icing on the cake is really important even if the cake is not fit for human consumption.

    For me AJAX is for doing things in the background. Checking a password availabilty is ok but changing large portions of page content is not. Every page that does not have an indempotent effect should be accessible from a URL but with most AJAX applications this is just not the case.

  16. #16
    SitePoint Wizard siteguru's Avatar
    Join Date
    Oct 2002
    Location
    Scotland
    Posts
    3,629
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bokehman
    For me AJAX is for doing things in the background.
    I agree.

    To me AJAX is a cleaning fluid and this also provides a good analogy. Everyone prefers to wash in a sink that has been cleaned (e.g. with Ajax), but if it hasn't been cleaned you can still wash - AJAX just makes it a nicer experience. The same applies to websites - they can be perfectly acceptable and usable without AJAX, but AJAX can make the user-experience nicer (cleaner).
    Ian Anderson
    www.siteguru.co.uk


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •