Avatar of ike1492
ike1492
 asked on

Hiding Download Link in PHP

Hello all!

Thanks for taking a look.  I am working on a site that hosts some PDF docs in a secure environment.  I have the security bit down, but I am having an issue.

I need to be able to hide the download link so that the user can't copy and paste the link into a browser window and change some characters and potentially end up with someone else's info.

example:  www.mysite.com/docs/customerID1234/doc.pdf

I don't want the user to be able to change the "1234" into something else and have access to other content.

Note:  There is already a login system in place, and this link would be behind it in a secure environment.  I don't want authroized users to phish around.  This is on an Apache server.

Thanks everyone!

ike1492
PHPHTMLJavaScript

Avatar of undefined
Last Comment
apreed

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
apreed

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ike1492

ASKER
Thanks for the quick response.  I appreciate it!  Will the user be able to do a view source and see the full URL and potentially change the cust_id?

On mobile right now and can't try the code - thanks again!

Wait, I see it.  PERFECT!!! - Thanks!
apreed

View Source won't show the URL, as there is no "Source" to show - you've declared the headers as a PDF, so HTML source won't exist after that point.

The URL in the browser window will be www.mysite.com/download_my_doc.php

They would need to change the cust_id in the session, which is possible but a lot harder than changing a visible URL - be careful though, as if you're sending it to the php script on the querystring, then you're no better off (you don't want ...download_my_doc.php?cust_id=1234 to display in the browser - you're back with the same problem)

Plus, I forgot a little bit... you need readfile($file) as the last line. That's the bit which actually outputs the file content. Doh!

header('Accept-Ranges: bytes');
readfile($file);
?>
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy