...

View Full Version : hash and mod_rewrite for file download



brotherhewd
01-05-2006, 02:59 AM
Hello, I have a file hosting website and I am experiencing an issue. If somebody looks in the source code they can see the direct path of the file, hence bypassing the 25 second wait time since i am using a download template file where every user sees the same download page template. One way I found of preventing that is by using hash and mod_rewrite to protect that so instead of having /downoad.php?action=2&file=filename.rar I would have /download.php?hash=10293812ihoasdsaodasd. I have coded it to have the hash directly generated and put into a database. My problem is how would I use mod_rewrite (any body have a code for that) and what would i put in the download.php and the download-summary.tpl.php to have hash used to retrive the files. The database is setup I am needing help with the download part and the mod_rewrite part.

Thanks

firepages
01-05-2006, 05:20 AM
I dont think you really need mod_rewrite and databases and hashes etc...

in the directory that stores the downloads... create or add in a .htaccess file

<Directory /home/httpd/vhosts/domain/httpdocs/noaccess>
Order Deny,Allow
Deny from all
Allow from localhost
</Directory>

this allows only your scripts to access the documents so knowing the path to the file helps nobody e.g.

header("content-type: $whatever_is_approproate");
echo file_get_contents('noaccess/'.$blah.'.blah');

should work but direct requests should not

brotherhewd
01-05-2006, 05:22 AM
This would not work because my download template page gets info from download.php directly for example

http://www.mydomain.com/download.php?action=2&file=filename.rar.html

By using hash, this would be prevented

Diod
01-05-2006, 01:06 PM
Why not make an ID col. in the table in the database for each file and use queries like "... WHERE ID='" . $_GET['file'] . "'"

firepages
01-05-2006, 04:38 PM
so when someone goes to the dowmload page how does it work exactly ? a javascript timer that opens a new window to download the file or does a meta refresh to the actual download ?

brotherhewd
01-05-2006, 07:26 PM
Deleted

missing-score
01-05-2006, 08:49 PM
I had to write an upload site once and thats basically what we did, and it is really the only decent way to ensure they wait. You dont HAVE to use .htaccess though.

Create a hash and the store it in the database, also assign it a time indicator, then direct the user to an URL with a hash on the end of it: eg: www.mysite.com/file.php?hash=ziuerhb87

Do your JavaScript countdown as usual and have the redirect to be to the exact same URL they are visiting now.

Then, on the main file page use PHP to see if there is a hash set in the URL and if so, check the database for the time. If they have waited the full 30 seconds then give them file access, else reset the counter to 30 seconds (yeah, Im mean like that).

brotherhewd
01-05-2006, 10:28 PM
I know how to do the hash part and the redirect users to a url with a hash at the end of it.

Now after that, I have no clue how to do what you just told me.


Do your JavaScript countdown as usual and have the redirect to be to the exact same URL they are visiting now.

Then, on the main file page use PHP to see if there is a hash set in the URL and if so, check the database for the time. If they have waited the full 30 seconds then give them file access, else reset the counter to 30 seconds (yeah, Im mean like that).

=( sorry I have almost very little knowledge of php but I am learning =)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum