...

View Full Version : Help Protecting Media Files Without Denying Access Completely



dharvell
04-29-2009, 12:44 AM
I have a situation where I have a ZIP file on my server. This ZIP file should be accessible via a link:


<a href="http://www.mydomain.com/path/to/file.zip">link</a>

...but not directly, via typing the location in the browser's address bar.

1. Is this possible?

2. If so, can somebody point me to where I might find information on how to do such a thing?

Any help would be very much appreciated!

+dharvell

_Aerospace_Eng_
04-29-2009, 01:19 AM
Sounds like you want to prevent hotlinking.

http://www.lancelhoff.com/how-to-prevent-hotlink-bandwidth-theft/

dharvell
04-29-2009, 01:45 AM
This looks like the EXACT thing I need. Thanks for the speedy reply!

EDIT:
I did as the directions prompted, but that didn't do quite what I wanted it to. I can still type the location of the file in the address bar and start the download. I want to prevent that. I want the file to download ONLY if the link on my page was clicked. Any updates as to how to accomplish this? Thanks, again.

+dharvell

_Aerospace_Eng_
04-29-2009, 06:43 AM
Change this line

RewriteRule \.(jpg|jpeg|png|gif|zip|rar)$ /nolink.png [R,L]
to this

RewriteRule \.(jpg|jpeg|png|gif|zip|rar)$ - [F,NC]

dharvell
04-29-2009, 02:05 PM
Change this line

RewriteRule \.(jpg|jpeg|png|gif|zip|rar)$ /nolink.png [R,L]
to this

RewriteRule \.(jpg|jpeg|png|gif|zip|rar)$ - [F,NC]

Thank you for the continued effort. Sadly, this didn't work, either. I am still able to directly reach the file by typing it in the address bar. If you have any additional ideas on this, I would love to try them (as I know roughly squat about .htaccess files)!

Thanks, again!

+dharvell

CFMaBiSmAd
04-29-2009, 02:17 PM
As long as the URL of the file will cause that file to be severed by the server, it does not matter how that http request is produced (link on a page, browser address bar, bot script, request relayed through a web proxy server...) A http request is a http request. HTTP_REFERER can also be set to anything at any time, so bot scripts and web proxy scripts can set it to your domain so that any request for a URL can look like it came from someone already viewing pages on your site.

What exactly are you trying to accomplish? Does someone need to fill out a form or be a logged in member on your site before the file should be served by the web server? Edit: Stop hot linking by other sites putting a URL to your file on their pages?

dharvell
04-29-2009, 02:41 PM
As long as the URL of the file will cause that file to be severed by the server, it does not matter how that http request is produced (link on a page, browser address bar, bot script, request relayed through a web proxy server...) A http request is a http request. HTTP_REFERER can also be set to anything at any time, so bot scripts and web proxy scripts can set it to your domain so that any request for a URL can look like it came from someone already viewing pages on your site.

What exactly are you trying to accomplish? Does someone need to fill out a form or be a logged in member on your site before the file should be served by the web server? Edit: Stop hot linking by other sites putting a URL to your file on their pages?

What I am trying to accomplish is mentioned in the original post, but in case I didn't describe it that good, I'll try to describe it another way.

I have a ZIP file. We'll call it coolFile.zip. I do NOT want people accessing coolFile.zip by entering the path in the address bar:

http://www.mydomain.com/path/to/coolFile.zip

The one and only way I DO want the file accessed is through a payment process. When payment is completed, a page displays a link:


<a href="http://www.mydomain.com/path/to/coolFile.zip">here is your file</a>

I'm sure this is possible, as you run into a similar situation all the time. I just don't have the know-how to do this without a little guidance... or a lot of guidance, as it may be... heh heh heh

If you need more info, let me know and I'll do my best to get you what you need!

+dharvell

CFMaBiSmAd
04-29-2009, 03:39 PM
You need to dynamically output the file using a server side script (PHP for example) that only outputs the file when the conditions that you require have been met. The actual folder where the .zip files are kept is either outside of your document root folder or it contains a .htaccess file that prevents all http access to the files. Only the server side script has access to read the .zip files.

The URL (link or otherwise) would look like -

http://yourdomain.com/download.php?coolFile.zip

Edit: The above URL is not correct (unless you were doing some URL manipulation) The actual URL would be something like http://yourdomain.com/download.php?file=coolFile.zip


The php code in download.php (or whatever name or server-side script you end up using) would check that that payment process for the current visitor/member has been completed. If it has been completed, the actual .zip file is output along with the necessary content type headers. If the payment process has not been completed, an appropriate message is output instead.

dharvell
04-29-2009, 03:55 PM
You need to dynamically output the file using a server side script (PHP for example) that only outputs the file when the conditions that you require have been met. The actual folder where the .zip files are kept is either outside of your document root folder or it contains a .htaccess file that prevents all http access to the files. Only the server side script has access to read the .zip files.

The URL (link or otherwise) would look like -

http://yourdomain.com/download.php?coolFile.zip

The php code in download.php (or whatever name or server-side script you end up using) would check that that payment process for the current visitor/member has been completed. If it has been completed, the actual .zip file is output along with the necessary content type headers. If the payment process has not been completed, an appropriate message is output instead.

I'm sure your answer is the key to what I need. I just wish I understood 95% of what you just said! :eek:

I am moderately experienced in PHP, so coming up with a script should not be too hard. But as for .htaccess files and sending "necessary headers", I am completely lost at this point...

CFMaBiSmAd
04-29-2009, 04:10 PM
To prevent all http requests to files in a folder, put a .htaccess file in that folder with the following line in it (assumes Apache web server) -


deny from all

Content headers and force download (download dialog box) - http://apptools.com/phptools/force-download.php

dharvell
04-29-2009, 04:16 PM
To prevent all http requests to files in a folder, put a .htaccess file in that folder with the following line in it (assumes Apache web server) -


deny from all

Content headers and force download (download dialog box) - http://apptools.com/phptools/force-download.php

Cool! Thanks for the pointers!

+dharvell

ajhauser
05-01-2009, 05:21 AM
To add to this question: if you used "deny from all" in several .htaccess files, with one in every folder of your site - would it prevent the site from loading altogether?

If there is a .html (or other extention) page in a folder with "deny from all" in an .htaccess file, and a link points to it, will it tell the browser that the file cannot be found?

I think that is the point here, I just wanted to clarify myself.
Thanks, and very useful post!

EvilPHP
06-03-2009, 05:59 PM
To add to this question: if you used "deny from all" in several .htaccess files, with one in every folder of your site - would it prevent the site from loading altogether?

If there is a .html (or other extention) page in a folder with "deny from all" in an .htaccess file, and a link points to it, will it tell the browser that the file cannot be found?

If you put one in every folder it would prevent the site from loading. Or if this was your intention, you could put the file in the root folder, and all below it would take on the characteristics of that .htaccess file.

If you access a file in a directory that has deny from all you will recieve the message :

Forbidden
You don't have permission to access /this/directory on this server.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum