Solved

PHP File Access Control Handler

Posted on 2010-08-24
6
441 Views
Last Modified: 2012-05-10
I would like to create a HTTP handler using preferably a PHP (or possibly Python) script which simply validates some session variables prior to permitting a download (be it an image to be shown on a web page, or a ZIP file):

i.e.
URI: http://mydomain.com/res.php?id=123
File Path: /home/vhosts/mydomain.com/private/res/download.zip  (No HTTP Access)

I understand that introducing a PHP handler will incur some small overhead. But is there a PHP solution to the following which incurs exactly the same additional overhead regardless of file size.

I hope that I have explained this clearly.

What is the most efficient way to accomplish this with PHP? Is there a way to send a file as the response (in a similar way to the default HTTP download handler that is used to convey images, ZIPs, etc)?

Script pseudo-code:
if ($authorized) {

   send ('/home/vhosts/mydomain.com/private/res/download.zip');

}

else {

   echo 'Access denied.';

   exit;

}

Open in new window

0
Comment
Question by:numberkruncher
  • 3
  • 3
6 Comments
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
Yes, here is how I do it.  Hopefully you can generalize this to test the authorization before allowing the download.
<?php // RAY_force_download.php
error_reporting(E_ALL);


// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.google.com/intl/en_ALL/images/logo.gif";

// USE CASE
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD
function force_download($filename)
{
    // GET A NAME FOR THE FILE
    $basename = basename($filename);

    // GET THE CONTENTS OF THE FILE
    $filedata = file_get_contents($filename);

    if ($filedata)
    {
        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=\"$basename\"");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // CAPTURE THE FILE IN THE OUTPUT BUFFERS - WILL BE FLUSHED AT SCRIPT END
        ob_start();
        echo $filedata;
    }
}

Open in new window

0
 
LVL 13

Author Comment

by:numberkruncher
Comment Utility
Thanks! that looks like exactly what I am after.

Does reading the file contents into a buffer and then transmitting it incur a significant amount of overhead when compared with regular file downloads? Or is the only overhead the PHP script itself?


I suppose for an image that needs to be shown on a web page, I would just change the MIME type? ie. for an img tag.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
Comment Utility
No real difference in overhead - the file must still be read and sent via HTTP no matter how you do it.  You must have enough memory to load the entire file.

To show an image on a web page you would just do something like this:
header('Content-type: image/jpg');

Then pass the binary image file to the browser output stream.  But it might be easier to just give the client a regular link.

Best regards, ~Ray
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 13

Author Closing Comment

by:numberkruncher
Comment Utility
Thanks for the information, I hadn't thought of it that way.

I didn't just want to provide a straightforward link because I do not want users to be able to share them with unauthorised users, or to post a link on a blog or something.
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
Not providing a link will only frustrate the people who want a link.  The thieves and hackers will still be able to copy your data.  Sometimes a watermark is a good idea.  Best of luck with it, ~Ray
0
 
LVL 13

Author Comment

by:numberkruncher
Comment Utility
> Not providing a link will only frustrate the people who want a link.

For what purpose would somebody require a link? If they do require a link they can just copy it, but it will only work if they are logged into the website.

> The thieves and hackers will still be able to copy your data.

It will not prevent thieves from stealing the data, but it will strengthen the security of this. The most important thing here though isn't the theft of data, but rather the theft of bandwidth. I do not want it to be possible for a third-party website to embed members-only images within their web pages.

Sure I understand that a member could download and illegally redistribute an image/ZIP/etc, but there are ways of making that more difficult. Especially with software downloads because of serial numbers/activation/etc. For digital downloads I actually intend to limit the number of downloads per registered member.

> Sometimes a watermark is a good idea

Thanks, that's actually a fantastic piece of advice, I hadn't thought of adding watermarks.

> Best of luck with it

Thanks Ray, as I say, I think you've given me exactly what I need.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
Read about why website design really matters in today's demanding market.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now