Question : protect file from download

I have a file that people can download but only if they sign up for the mailing list. So, when they enter their email address they are taken to the page where they can download the file. The problem is that if you view the source on that page, you can see the exact path to the file. So, they could just give that link to anyone and they could use it to download the file without signing up. I tried changing the permissions on the directory which worked but now even people that sign up can't download the file. Is there a way to hide the link path or maybe some other method?

Answer : protect file from download

Here are some ideas...

Keep the file in a folder that is out of the WWW root - so nobody can download the file via a URL.

Encode the client email address using md5() and require this code to download the file

Set up a "force download" script that will download the file to the client's computer. Password-protect this script. When the client has registered for the mailing list, give them the link to the download script. Include the md5() value of their email address in the URL. Require them to enter their email address as a "password" on this page. Compare the md5() of the email address to the md5() in the URL. Validate the email address against the data base. Then consider emailing a link to them, instead of exposing the URL in clear text over the WWW.

Mark the file with some kind of data field that indicates who was authorized to download it. An image watermark or a field in a PDF will do nicely.

Those things should be enough - but with any question about security, the question is a matter of tradeoffs - how much are you willing to spend on security to protect the asset? If it is nuclear codes, the answer is "a lot" and if it is fishing statistics the answer is "not much."

Here is a script that will force a download. Protect it and add some validation, and you're good to go!

HTH, ~Ray

                       
         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:

           
           
             <?php // RAY_force_download.php
error_reporting(E_ALL);


// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.google.com/intl/en_ALL/images/logo.gif";

// USE CASE
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD
function force_download($filename)
{
    // GET A NAME FOR THE FILE
    $basename = basename($filename);

    // GET THE CONTENTS OF THE FILE
    $filedata = file_get_contents($filename);

    if ($filedata)
    {
        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=\"$basename\"");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // CAPTURE THE FILE IN THE OUTPUT BUFFERS - WILL BE FLUSHED AT SCRIPT END
        ob_start();
        echo $filedata;
    }
}

           
         