[PHP] Downloding files once
Hi I'm trying to allow users to download files from my servers. Files can be hundreds of MB in size and sometimes even a few GB. This is a closed section of the site and i would like to allow only members to be able to DL the files. I thought of using a download function that uses headers and readfile() or fread(). This way i can check who is the user and send / not send the file. However, this does not seem to work with such big files. Another idea is to use Apache Mod Rewrite and check that the user has the referrer of the download server. I'm assuming that he will only have this if he had access to a link to the file from the server it's self and such a link will only be provided to members. As far as i can think, you can only fake a referrer by writing your own client. If anyone has any ideas or comments I'll be very happy to get them. Sincerely berber Visit http://www.weberdev.com/ Today!!! To see where PHP might take you tomorrow. Share your code : http://addexample.weberdev.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Downloding files once
[snip] I'm trying to allow users to download files from my servers. Files can be hundreds of MB in size and sometimes even a few GB. This is a closed section of the site and i would like to allow only members to be able to DL the files. [/snip] Since it is open to members only couldn't you require a login and keep a list of files they have downloaded in a database? Seems to me that would be reasonably quick and easy to do. HTH! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Downloding files once
* Thus wrote Boaz Yahav ([EMAIL PROTECTED]): > Can you fake a referrer by say, using fsockopen() and sending your > own headers? Yes, and in fact there are programs designed to work around this exact (so called) security check. I've seen hosting services use this method of protecting their files and usually what happens is the users get programs that make downloading the files easier than downloading files through a web browser, thus defeating the whole purpose of the referer checking. Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Downloding files once
Can you fake a referrer by say, using fsockopen() and sending your own headers? -Original Message- From: Curt Zirzow [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 4:57 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Downloding files once * Thus wrote Boaz Yahav ([EMAIL PROTECTED]): > > I thought of using a download function that uses headers and > readfile() or fread(). This way i can check who is the user and send / > not send the file. However, this does not seem to work with > such big files. you most likely are running into the script timeout when people are downloading the file. I would in this case, use fread so you can do some checking in between sends and if bandwidth becomes a problem you can do some bandwidth throttling: set_timelimit(0); while (! feof() { if (connection_aborted() ) { break; // no need to send the data now. } fread(); print $data; } > > Another idea is to use Apache Mod Rewrite and check that the user has > the referrer of the download server. I'm assuming that he will only > have this if he had access to a link to the > file from the server it's self and such a link will only be provided to > members. As far as i can > think, you can only fake a referrer by writing your own client. I would discourage this for the fact that the referer can easily be faked. If you downloads are important to the general public and word gets out that the referer is your security.. say good bye to your bandwidth :) > > If anyone has any ideas or comments I'll be very happy to get them. HTH, Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Downloding files once
From: "Boaz Yahav" <[EMAIL PROTECTED]> > > Can you fake a referrer by say, using fsockopen() and sending your > own headers? Yep. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Downloding files once
* Thus wrote Boaz Yahav ([EMAIL PROTECTED]): > > I thought of using a download function that uses headers and readfile() > or fread(). This way i can > check who is the user and send / not send the file. However, this does > not seem to work with > such big files. you most likely are running into the script timeout when people are downloading the file. I would in this case, use fread so you can do some checking in between sends and if bandwidth becomes a problem you can do some bandwidth throttling: set_timelimit(0); while (! feof() { if (connection_aborted() ) { break; // no need to send the data now. } fread(); print $data; } > > Another idea is to use Apache Mod Rewrite and check that the user has > the referrer of the > download server. I'm assuming that he will only have this if he had > access to a link to the > file from the server it's self and such a link will only be provided to > members. As far as i can > think, you can only fake a referrer by writing your own client. I would discourage this for the fact that the referer can easily be faked. If you downloads are important to the general public and word gets out that the referer is your security.. say good bye to your bandwidth :) > > If anyone has any ideas or comments I'll be very happy to get them. HTH, Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php