Solved

PHP File Access Control Handler

Posted on 2010-08-24
6
442 Views
Last Modified: 2012-05-10
I would like to create a HTTP handler using preferably a PHP (or possibly Python) script which simply validates some session variables prior to permitting a download (be it an image to be shown on a web page, or a ZIP file):

i.e.
URI: http://mydomain.com/res.php?id=123
File Path: /home/vhosts/mydomain.com/private/res/download.zip  (No HTTP Access)

I understand that introducing a PHP handler will incur some small overhead. But is there a PHP solution to the following which incurs exactly the same additional overhead regardless of file size.

I hope that I have explained this clearly.

What is the most efficient way to accomplish this with PHP? Is there a way to send a file as the response (in a similar way to the default HTTP download handler that is used to convey images, ZIPs, etc)?

Script pseudo-code:
if ($authorized) {
   send ('/home/vhosts/mydomain.com/private/res/download.zip');
}
else {
   echo 'Access denied.';
   exit;
}

Open in new window

0
Comment
Question by:numberkruncher
  • 3
  • 3
6 Comments
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33515259
Yes, here is how I do it.  Hopefully you can generalize this to test the authorization before allowing the download.
<?php // RAY_force_download.php
error_reporting(E_ALL);


// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.google.com/intl/en_ALL/images/logo.gif";

// USE CASE
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD
function force_download($filename)
{
    // GET A NAME FOR THE FILE
    $basename = basename($filename);

    // GET THE CONTENTS OF THE FILE
    $filedata = file_get_contents($filename);

    if ($filedata)
    {
        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=\"$basename\"");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // CAPTURE THE FILE IN THE OUTPUT BUFFERS - WILL BE FLUSHED AT SCRIPT END
        ob_start();
        echo $filedata;
    }
}

Open in new window

0
 
LVL 13

Author Comment

by:numberkruncher
ID: 33516368
Thanks! that looks like exactly what I am after.

Does reading the file contents into a buffer and then transmitting it incur a significant amount of overhead when compared with regular file downloads? Or is the only overhead the PHP script itself?


I suppose for an image that needs to be shown on a web page, I would just change the MIME type? ie. for an img tag.
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 33517447
No real difference in overhead - the file must still be read and sent via HTTP no matter how you do it.  You must have enough memory to load the entire file.

To show an image on a web page you would just do something like this:
header('Content-type: image/jpg');

Then pass the binary image file to the browser output stream.  But it might be easier to just give the client a regular link.

Best regards, ~Ray
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 13

Author Closing Comment

by:numberkruncher
ID: 33519457
Thanks for the information, I hadn't thought of it that way.

I didn't just want to provide a straightforward link because I do not want users to be able to share them with unauthorised users, or to post a link on a blog or something.
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33520418
Not providing a link will only frustrate the people who want a link.  The thieves and hackers will still be able to copy your data.  Sometimes a watermark is a good idea.  Best of luck with it, ~Ray
0
 
LVL 13

Author Comment

by:numberkruncher
ID: 33521346
> Not providing a link will only frustrate the people who want a link.

For what purpose would somebody require a link? If they do require a link they can just copy it, but it will only work if they are logged into the website.

> The thieves and hackers will still be able to copy your data.

It will not prevent thieves from stealing the data, but it will strengthen the security of this. The most important thing here though isn't the theft of data, but rather the theft of bandwidth. I do not want it to be possible for a third-party website to embed members-only images within their web pages.

Sure I understand that a member could download and illegally redistribute an image/ZIP/etc, but there are ways of making that more difficult. Especially with software downloads because of serial numbers/activation/etc. For digital downloads I actually intend to limit the number of downloads per registered member.

> Sometimes a watermark is a good idea

Thanks, that's actually a fantastic piece of advice, I hadn't thought of adding watermarks.

> Best of luck with it

Thanks Ray, as I say, I think you've given me exactly what I need.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PHP installation issues 11 59
Adwords and keywords 2 35
business account would work but I have a regular paypal account 2 77
PHP Form Calculate Total Price 10 40
Learn by example how to specify CSS selectors for Selenium WebDriver test automation software.
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now