I want to offer downloads to people. Apart from putting index files in every folder, can you give someone a download without telling them the URL from where it is?

One possibility: store the files in a database as a blob (http://en.wikipedia.org/wiki/Binary_large_object). Access each with a unique ID. Force downloaders to authenticate before receiving a file.

Another solution is to

1. store the files above the document root,
2. use the database to store the actual filename,
3. create a php (or other) file to retrieve the filename from the db based on submitted id, read the file, prepend the appropriate headers and deliver the file to the user.

I did a quick search on Google and found this, hope it helps!

http://www.ardamis.com/2008/06/11/protecting-a-download-using-a-unique-url/

Best Regards,
Trevor

Sounds great, that way they don't ever see the name of the file name.

I have approached it this way on several sites:

1) assign a unique encrypted ID to each file or each instance of files assigned to a user account or whatever you want

2) Create a URL with that ID as part of the querystring and give this url to the intended party

3) In your code, when the person visits, read the ID and determine which file is associated - this might be in a database, xml file, or some other persistence medium

4) Modify the response header for the file type that you're wanting to send. For example, if the file is going to be a ZIP, send the contentype as "application/octet-stream"

5) Open a file and read its contents as a stream to the HTTP response stream


This solution will:

1) protect the actual location of the file

2) allow you to even store the file on a resource that is not Internet accessible - on another drive or folder outside of the site root folder

3) make it next to impossible to reverse-engineer the URL is you use, say, base 64 encryption with a long encryption key

If you are doing this in ASP.Net, I can provide a code example. Let me know.

wow, thanks very much. What advantage does this give over storing the file in a above web directory?

ps sorry for the late reply

3) make it next to impossible to reverse-engineer the URL is you use, say, base 64 encryption with a long encryption key


this wouldn't be a problem if it was above root anyway?

I've seen a couple of variations ...

Method 1:

<?php
if($_GET){
if($_GET['file']) {
$filename = $_GET['file'];
$download_path = "files/";
}

if(eregi("\.\.", $filename)) die("I'm sorry, you may not download that file.");
$file = str_replace("..", "", $filename);
if(eregi("\.ht.+", $filename)) die("I'm sorry, you may not download that file.");
$file = "$download_path$file";
if(!file_exists($file)) die("I'm sorry, the file doesn't seem to exist.");
$type = filetype($file);
$today = date("F j, Y, g:i a");
$time = time();

header("Content-type: $type");
header("Content-Disposition: attachment;filename=$filename");
header("Content-Transfer-Encoding: binary");
header("Cache-Control: ");
header("Pragma: ");
set_time_limit(0);
readfile($file);
}
?>



Method 2:

<?php
//Set this to the base of where files
//can be downloaded from for security measures.
$basedir = "D:/wwwroot/";
if(!$_GET['file']) {
print "Sorry that file does not exist";
exit;
}
elseif(!file_exists($basedir.$_GET['file'])) {
print "Sorry that file does not exist";
exit;
}
else {
header("Content-Type: octet/stream");
header("Content-Disposition: attachment; filename=\"".$_GET['file']."\"");
$fp = fopen($basedir.$_GET['file'], "r");
$data = fread($fp, filesize($basedir.$_GET['file']));
fclose($fp);
print $data;
}
?>

I want to offer downloads to people. Apart from putting index files in every folder, can you give someone a download without telling them the URL from where it is?

Run a Lighttpd server? :D

http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModSecDownload