On Thu, Jul 5, 2012 at 10:17 AM, Gibbs <li...@danielgibbs.net> wrote:
> On 05/07/12 14:32, donkfat...@donkfather.eu wrote:
>> Hi,
>> I am trying to put a file to download. I want it secure so only the people
>> having the password can access it.
>> I made a page that requires a password.. if the password is correct it
>> changes the password send it on my mail and redirects
>> the user to another script. This script searches in the database for the
>> id given with GET and finds the name of the file
>> which is md5(something). it changes the name of the file in md5(smth
>> else). After that it searches in the download folder
>>  for a file named md5(smth else). if it finds the file it gives you the
>> link to the file.
>> So i need to find a way to change the filename after the user downloads
>> the file. to keep it secure so the user
>> wont be able to share the link to oters.
>> if you need more info ask :D
>> thanks
>> and sorry for my bad english .
> Sounds like you are overcomplicating it. Following what you've already done
> though...
> Have the original files stored somewhere outside of the web root. That way
> they aren't accessible whatsoever + you shouldn't have to change any of the
> files at any stage.
> Then you can simply update/change the ID that associates with it in your
> database when that URL is hit...
> Gibbs

It does sound a bit complicated. If I surmise correctly, what you are
attempting to do is give an authorized person the ability download a
file from your server by sending them a link to it in an email. Right
so far?

If so, here's what I suggest doing:

1) Store your downloadable content in a directory *outside of the web
server file space* (as Daniel mentioned above).

2) Keep a table of authorized people -> file download tokens, and file
download tokens -> download file spec. (You might want to also include
a back-reference for the latter so you can keep stats on files

3) Write a special script that only handles downloads, not part of
your regular application.

4) When the authorized person requests the download, create a token
and store it in the data base, linking it to the person's info and the
download file spec, and send the person an email with a link to the
URL invoking the special script with token.

5) When the person clicks the link, have your script mark the token as
"used" (so it can't be used again -- or optionally keep it around and
possibly do something like record the number of downloads, ip
addresses, date/time, and so on -- can be useful also for given
someone, say, 5 legal downloads and then shutting it off).

6) Then matching the token to the file spec, deliver the contents,
appropriately setting headers as per the file contents.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to