14 replies to this topic

[sAuhsoj]

I am totally new to PHP - I started yesterday. I want to make a script which will copy a file to a temporary file and start downloading so the download link cannot be shared. I was planning on making a timeout for this file of 5 minutes and then it would be deleted and a timeout message would be displayed. This is the code I wrote.

for ($x=1;$x<=20;$x++)

	{

	if ($number)

		$number .= rand(0,9);

	else 

		$number = rand(0,9);

	}

	$downloadlocation = "My_File" . $number . ".exe";

	copy("My_File.exe", $downloadlocation);

	echo

	"<html>

	<head>

	<meta name=\"description\" content=\"Download File Full Activator\">

	<meta name=\"keywords\" content=\"download, file, activator, activation\">

	<title>Download the File Full Activator</title>

	</head>

	<body>

	Your download should start automatically. The download will timeout in 5 minutes.

	<script type=\"text/javascript\">window.location=\"" . $downloadlocation . "\";</script>

	</body>

	</html>";

	sleep(300);

	unlink($downloadlocation);

	echo

	"<script type=\"text/javascript\">window.location=\"http://bambi4.x10.mx/download.php?timeout=1\";</script>";

What is wrong with this?
Thanks in advance.

[Alexander]

It would make more sense to give them a token, i.e. a random sha1 hash and store this in the database along with the time it was created. If they view the address, and their token expires, it will disallow them to download the application.

The token could be stored in address:
download.php?token=94a08da1fecbb6e8b

Or in the session (a little more creative)

[sAuhsoj]

Hmm, I will certainly consider this. Thanks!
Just to help me improve my understanding of the language and work past the issue of sharing the link - is there any way to achieve what I had original attempted to do? I'm sure there must be.
Currently I just generate a random pattern but a sha1 hash sounds better - I hadn't heard of this.

[sAuhsoj]

They do actually currently get a token as well - but I do not want people to share the download link. Is there another way around this?

[Alexander]

sAuhsoj said:

They do actually currently get a token as well - but I do not want people to share the download link. Is there another way around this?

The token would be one time use, you would delete (or mark invalid) in the database so it cannot be shared.

Your example if it had worked, could be shared for five minutes, although not as useful is not a completely secure method. i.e. the user could rotate the link with a new one every five minutes.

Your example would not work, as the page must be processed before it is sent to the user. Therefor the file will sleep and then unlink before they get a chance to download it, you would have to send them a page without the unlink data, for example a link to the script to download it, and that script will delete it after a certain period (however slightly less secure)

[sAuhsoj]

Alexander said:

The token would be one time use, you would delete (or mark invalid) in the database so it cannot be shared.

Maybe I am not fully understanding - if the file is downloaded using the token, then the person who held the token previously would then know the download URL - can they not share that and bypass the page which asks for a token?

[sAuhsoj]

Would you not then need an expiring token and an expiring download link?

[Alexander]

sAuhsoj said:

Would you not then need an expiring token and an expiring download link?

The download link would be generated each time, along with the database entry holding the token as well.

Once that link is clicked and the page is read, the token will expire (as you will remove it from the database on that page) and cannot be shared. You would check if the token is valid first, and if it isn't (the second viewer to the url for example) would display it is invalid and not give them the file.

[sAuhsoj]

I'm sorry, my knowledge of this is rather limited.
How would the download link be generated each time? Would that link not need to be removed after?
If the link is example.com/my_file.exe, when the person has entered in their token they will see that is the download link. If they share that link and someone else goes to example.com/my_file.exe, without going to the php page requesting the token, will the download not start regardless?

[Revolt]

Thing is you never expose the true location of the file. You can use something like the following code to send the file dinamically from a download.php page for example.

if (file_exists($path)) {

    //Define file properties

    header("HTTP/1.1 200 OK");

    header("Content-Type: " . $extensionInfo['Mimetype'] );

    header("Content-Disposition: attachment; filename=\"" . $file['Name'] . "\"");

    header("Content-Transfer-Encoding: binary");

    header("Expires: 0");

    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

    header("Pragma: public");

    header("Content-Length: " . filesize($path));

    readfile_chunked($path); //Send file contents

    exit;

} else {

    return "File not found";

}

[sAuhsoj]

Revolt said:

Thing is you never expose the true location of the file. You can use something like the following code to send the file dinamically from a download.php page for example.

if (file_exists($path)) {

    //Define file properties

    header("HTTP/1.1 200 OK");

    header("Content-Type: " . $extensionInfo['Mimetype'] );

    header("Content-Disposition: attachment; filename=\"" . $file['Name'] . "\"");

    header("Content-Transfer-Encoding: binary");

    header("Expires: 0");

    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

    header("Pragma: public");

    header("Content-Length: " . filesize($path));

    readfile_chunked($path); //Send file contents

    exit;

} else {

    return "File not found";

}

Thanks; what are $extensionInfo['Mimetype'] and readfile_chunked() ?

[bbqroast]

Do what revolt suggested and put the file out of the htdocs DIR, done.