I thought we answered this question already!

It's simple. On your login page or whatever, you start a session and set a
variable saying that the user is logged in.

//check username and password
//if good...
$_SESSION['logged_in'] = 1;

Now, the most secure way to protect your files is to place them above your
web root. Then no one can ever get to them through a browser (directly to
the file). If you can't do that, then place them in a folder with a long
name that's going to be hard to guess.

Then, you have a download.php file that you direct all requests for
downloads to. You'll also have to pass it a code to identify which file the
user means to download. This can be an ID from a database, or an actual


In download.php you check for an active session. If it's good, then you send
the appropriate header() for the file the user wants to download and then
use passthru() to send them the file. Make sure you are only sending them a
file from your download directory, wherever that is. Make sure they don't
pass you a path to a file they shouldn't be looking at.

  //session is good
  //retrieve name of file (whether in URL or Database
  $file = $_GET['Filename'] . ".mp3"
  $download_dir = "/home/user/me/downloads/music/
  $download_file = $download_dir . $file
  header("content-type: application-whatever-mp3-x");
  header("content-disposition: attachement filename='$file'");
  echo "<html><body>Please log in</body></html>";

I don't remember the exact header() format, and it's dependent on the types
of files your offering, but you should get the idea.

Adapt to your needs, but this is the basics of it. Check for a valid
session, if it exists, send appropriate headers and use passthru() to send
the file. (you can use file(), fopen(), whatever, as long as you send the
content of the file after the headers...). If session doesn't match up, send
an HTML page.

Hopefully this thread will die now...

---John Holmes...

----- Original Message -----
From: "Nathan Taylor" <[EMAIL PROTECTED]>
To: "Fargo Lee" <[EMAIL PROTECTED]>
Sent: Tuesday, June 18, 2002 5:42 AM
Subject: Re: [PHP] How do I hide download link ...

> ----- Original Message -----
> From: "Fargo Lee" <[EMAIL PROTECTED]>
> Sent: Wednesday, June 12, 2002 4:14 PM
> Subject: [PHP] How do I hide download link ...
> > Hi, my customers go through a password authentication to access a link
> my
> > site to download a file. I want to prevent the distribution of the
> location
> > of this file on my server by making it hidden. Is there any php
> function(s)
> > that could assist in doing this?
> >
> > All I can think of so far is storing the original file in a hard to
> > directory, when a authenticated customer goes to download it, send them
> a
> > script that copys the original file to a temp directory, they download
> > file in the temp directory and then run a cron every so many minutes to
> > clear out the files in the temp directory.
> >
> > If anyone has any ideas, examples or a way to improve on what I came up
> with
> > please respond. Thanks!
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to