Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

PHP File Access Control Handler

Posted on 2010-08-24
6
Medium Priority
?
467 Views
Last Modified: 2012-05-10
I would like to create a HTTP handler using preferably a PHP (or possibly Python) script which simply validates some session variables prior to permitting a download (be it an image to be shown on a web page, or a ZIP file):

i.e.
URI: http://mydomain.com/res.php?id=123
File Path: /home/vhosts/mydomain.com/private/res/download.zip  (No HTTP Access)

I understand that introducing a PHP handler will incur some small overhead. But is there a PHP solution to the following which incurs exactly the same additional overhead regardless of file size.

I hope that I have explained this clearly.

What is the most efficient way to accomplish this with PHP? Is there a way to send a file as the response (in a similar way to the default HTTP download handler that is used to convey images, ZIPs, etc)?

Script pseudo-code:
if ($authorized) {
   send ('/home/vhosts/mydomain.com/private/res/download.zip');
}
else {
   echo 'Access denied.';
   exit;
}

Open in new window

0
Comment
Question by:numberkruncher
  • 3
  • 3
6 Comments
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33515259
Yes, here is how I do it.  Hopefully you can generalize this to test the authorization before allowing the download.
<?php // RAY_force_download.php
error_reporting(E_ALL);


// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.google.com/intl/en_ALL/images/logo.gif";

// USE CASE
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD
function force_download($filename)
{
    // GET A NAME FOR THE FILE
    $basename = basename($filename);

    // GET THE CONTENTS OF THE FILE
    $filedata = file_get_contents($filename);

    if ($filedata)
    {
        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=\"$basename\"");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // CAPTURE THE FILE IN THE OUTPUT BUFFERS - WILL BE FLUSHED AT SCRIPT END
        ob_start();
        echo $filedata;
    }
}

Open in new window

0
 
LVL 13

Author Comment

by:numberkruncher
ID: 33516368
Thanks! that looks like exactly what I am after.

Does reading the file contents into a buffer and then transmitting it incur a significant amount of overhead when compared with regular file downloads? Or is the only overhead the PHP script itself?


I suppose for an image that needs to be shown on a web page, I would just change the MIME type? ie. for an img tag.
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 33517447
No real difference in overhead - the file must still be read and sent via HTTP no matter how you do it.  You must have enough memory to load the entire file.

To show an image on a web page you would just do something like this:
header('Content-type: image/jpg');

Then pass the binary image file to the browser output stream.  But it might be easier to just give the client a regular link.

Best regards, ~Ray
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 13

Author Closing Comment

by:numberkruncher
ID: 33519457
Thanks for the information, I hadn't thought of it that way.

I didn't just want to provide a straightforward link because I do not want users to be able to share them with unauthorised users, or to post a link on a blog or something.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33520418
Not providing a link will only frustrate the people who want a link.  The thieves and hackers will still be able to copy your data.  Sometimes a watermark is a good idea.  Best of luck with it, ~Ray
0
 
LVL 13

Author Comment

by:numberkruncher
ID: 33521346
> Not providing a link will only frustrate the people who want a link.

For what purpose would somebody require a link? If they do require a link they can just copy it, but it will only work if they are logged into the website.

> The thieves and hackers will still be able to copy your data.

It will not prevent thieves from stealing the data, but it will strengthen the security of this. The most important thing here though isn't the theft of data, but rather the theft of bandwidth. I do not want it to be possible for a third-party website to embed members-only images within their web pages.

Sure I understand that a member could download and illegally redistribute an image/ZIP/etc, but there are ways of making that more difficult. Especially with software downloads because of serial numbers/activation/etc. For digital downloads I actually intend to limit the number of downloads per registered member.

> Sometimes a watermark is a good idea

Thanks, that's actually a fantastic piece of advice, I hadn't thought of adding watermarks.

> Best of luck with it

Thanks Ray, as I say, I think you've given me exactly what I need.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to implement server side field validation and display customized error messages to the client.
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses
Course of the Month7 days, 12 hours left to enroll

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question