Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PHP File Access Control Handler

Posted on 2010-08-24
6
Medium Priority
?
462 Views
Last Modified: 2012-05-10
I would like to create a HTTP handler using preferably a PHP (or possibly Python) script which simply validates some session variables prior to permitting a download (be it an image to be shown on a web page, or a ZIP file):

i.e.
URI: http://mydomain.com/res.php?id=123
File Path: /home/vhosts/mydomain.com/private/res/download.zip  (No HTTP Access)

I understand that introducing a PHP handler will incur some small overhead. But is there a PHP solution to the following which incurs exactly the same additional overhead regardless of file size.

I hope that I have explained this clearly.

What is the most efficient way to accomplish this with PHP? Is there a way to send a file as the response (in a similar way to the default HTTP download handler that is used to convey images, ZIPs, etc)?

Script pseudo-code:
if ($authorized) {
   send ('/home/vhosts/mydomain.com/private/res/download.zip');
}
else {
   echo 'Access denied.';
   exit;
}

Open in new window

0
Comment
Question by:numberkruncher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33515259
Yes, here is how I do it.  Hopefully you can generalize this to test the authorization before allowing the download.
<?php // RAY_force_download.php
error_reporting(E_ALL);


// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.google.com/intl/en_ALL/images/logo.gif";

// USE CASE
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD
function force_download($filename)
{
    // GET A NAME FOR THE FILE
    $basename = basename($filename);

    // GET THE CONTENTS OF THE FILE
    $filedata = file_get_contents($filename);

    if ($filedata)
    {
        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=\"$basename\"");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // CAPTURE THE FILE IN THE OUTPUT BUFFERS - WILL BE FLUSHED AT SCRIPT END
        ob_start();
        echo $filedata;
    }
}

Open in new window

0
 
LVL 13

Author Comment

by:numberkruncher
ID: 33516368
Thanks! that looks like exactly what I am after.

Does reading the file contents into a buffer and then transmitting it incur a significant amount of overhead when compared with regular file downloads? Or is the only overhead the PHP script itself?


I suppose for an image that needs to be shown on a web page, I would just change the MIME type? ie. for an img tag.
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 33517447
No real difference in overhead - the file must still be read and sent via HTTP no matter how you do it.  You must have enough memory to load the entire file.

To show an image on a web page you would just do something like this:
header('Content-type: image/jpg');

Then pass the binary image file to the browser output stream.  But it might be easier to just give the client a regular link.

Best regards, ~Ray
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 13

Author Closing Comment

by:numberkruncher
ID: 33519457
Thanks for the information, I hadn't thought of it that way.

I didn't just want to provide a straightforward link because I do not want users to be able to share them with unauthorised users, or to post a link on a blog or something.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33520418
Not providing a link will only frustrate the people who want a link.  The thieves and hackers will still be able to copy your data.  Sometimes a watermark is a good idea.  Best of luck with it, ~Ray
0
 
LVL 13

Author Comment

by:numberkruncher
ID: 33521346
> Not providing a link will only frustrate the people who want a link.

For what purpose would somebody require a link? If they do require a link they can just copy it, but it will only work if they are logged into the website.

> The thieves and hackers will still be able to copy your data.

It will not prevent thieves from stealing the data, but it will strengthen the security of this. The most important thing here though isn't the theft of data, but rather the theft of bandwidth. I do not want it to be possible for a third-party website to embed members-only images within their web pages.

Sure I understand that a member could download and illegally redistribute an image/ZIP/etc, but there are ways of making that more difficult. Especially with software downloads because of serial numbers/activation/etc. For digital downloads I actually intend to limit the number of downloads per registered member.

> Sometimes a watermark is a good idea

Thanks, that's actually a fantastic piece of advice, I hadn't thought of adding watermarks.

> Best of luck with it

Thanks Ray, as I say, I think you've given me exactly what I need.
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question