Solved

PHP File Access Control Handler

Posted on 2010-08-24
6
452 Views
Last Modified: 2012-05-10
I would like to create a HTTP handler using preferably a PHP (or possibly Python) script which simply validates some session variables prior to permitting a download (be it an image to be shown on a web page, or a ZIP file):

i.e.
URI: http://mydomain.com/res.php?id=123
File Path: /home/vhosts/mydomain.com/private/res/download.zip  (No HTTP Access)

I understand that introducing a PHP handler will incur some small overhead. But is there a PHP solution to the following which incurs exactly the same additional overhead regardless of file size.

I hope that I have explained this clearly.

What is the most efficient way to accomplish this with PHP? Is there a way to send a file as the response (in a similar way to the default HTTP download handler that is used to convey images, ZIPs, etc)?

Script pseudo-code:
if ($authorized) {
   send ('/home/vhosts/mydomain.com/private/res/download.zip');
}
else {
   echo 'Access denied.';
   exit;
}

Open in new window

0
Comment
Question by:numberkruncher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 33515259
Yes, here is how I do it.  Hopefully you can generalize this to test the authorization before allowing the download.
<?php // RAY_force_download.php
error_reporting(E_ALL);


// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.google.com/intl/en_ALL/images/logo.gif";

// USE CASE
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD
function force_download($filename)
{
    // GET A NAME FOR THE FILE
    $basename = basename($filename);

    // GET THE CONTENTS OF THE FILE
    $filedata = file_get_contents($filename);

    if ($filedata)
    {
        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=\"$basename\"");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // CAPTURE THE FILE IN THE OUTPUT BUFFERS - WILL BE FLUSHED AT SCRIPT END
        ob_start();
        echo $filedata;
    }
}

Open in new window

0
 
LVL 13

Author Comment

by:numberkruncher
ID: 33516368
Thanks! that looks like exactly what I am after.

Does reading the file contents into a buffer and then transmitting it incur a significant amount of overhead when compared with regular file downloads? Or is the only overhead the PHP script itself?


I suppose for an image that needs to be shown on a web page, I would just change the MIME type? ie. for an img tag.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 33517447
No real difference in overhead - the file must still be read and sent via HTTP no matter how you do it.  You must have enough memory to load the entire file.

To show an image on a web page you would just do something like this:
header('Content-type: image/jpg');

Then pass the binary image file to the browser output stream.  But it might be easier to just give the client a regular link.

Best regards, ~Ray
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 13

Author Closing Comment

by:numberkruncher
ID: 33519457
Thanks for the information, I hadn't thought of it that way.

I didn't just want to provide a straightforward link because I do not want users to be able to share them with unauthorised users, or to post a link on a blog or something.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 33520418
Not providing a link will only frustrate the people who want a link.  The thieves and hackers will still be able to copy your data.  Sometimes a watermark is a good idea.  Best of luck with it, ~Ray
0
 
LVL 13

Author Comment

by:numberkruncher
ID: 33521346
> Not providing a link will only frustrate the people who want a link.

For what purpose would somebody require a link? If they do require a link they can just copy it, but it will only work if they are logged into the website.

> The thieves and hackers will still be able to copy your data.

It will not prevent thieves from stealing the data, but it will strengthen the security of this. The most important thing here though isn't the theft of data, but rather the theft of bandwidth. I do not want it to be possible for a third-party website to embed members-only images within their web pages.

Sure I understand that a member could download and illegally redistribute an image/ZIP/etc, but there are ways of making that more difficult. Especially with software downloads because of serial numbers/activation/etc. For digital downloads I actually intend to limit the number of downloads per registered member.

> Sometimes a watermark is a good idea

Thanks, that's actually a fantastic piece of advice, I hadn't thought of adding watermarks.

> Best of luck with it

Thanks Ray, as I say, I think you've given me exactly what I need.
0

Featured Post

Is Your Team Achieving Their Full Potential?

74% of employees feel they are not achieving their full potential. With Linux Academy, not only will you strengthen your team's core competencies but also their knowledge of of the newest IT topics.

With new material every week, we'll make sure that you stay ahead of the game.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to write a Context Sensitive Help (an online help that is obtained from a specific point in state of software to provide help with that state) ,  first we need to make the file that contains all topics, which are given exclusive IDs. …
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question