Solved

Prevent download of files???

Posted on 2014-03-19
8
252 Views
Last Modified: 2014-05-30
Is there a way to prevent a user who has a URL to a file (PDF) from downloading it? I have a site built in PHP. I need to prevent PDF downloads by users who are not logged into the site, but the URLs of PDF documents are getting around.

TIA
0
Comment
Question by:machine_run
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940808
Would restrict the directory where the PDFs are stored to logged in users only.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 39940844
You can put the PDF files in a directory or directory tree that is outside of the WWW root.  Then you can have a password-protected script that permits a client to download the PDFs.  The script that permits the downloads can also update a data base to record who downloaded what and when.  If you create the PDF files on the fly, you can even embed the client's name and email address in the footer!

How to password-protect web pages:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

How to force a download:
<?php // demo/force_download.php
error_reporting(E_ALL);
ini_set('display_errors', TRUE);
ini_set('log_errors',     TRUE);


// DEMONSTRATE HOW TO CAUSE A FILE DOWNLOAD


// REQUIRED FOR USE WITH THE PHP date() FUNCTIONS
date_default_timezone_set('America/New_York');

// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET, OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.IcoNoun.com/demo/short_text_file.txt";

// THE USE CASE FOR THE FUNCTION
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD FROM A FILE
function force_download($filename)
{
    // GET THE CONTENTS OF THE FILE
    $filedata = @file_get_contents($filename);

    // SUCCESS
    if ($filedata)
    {
        // GET A NAME FOR THE FILE
        $basename = basename($filename);

        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=$basename");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // WRITE THE FILE
        echo $filedata;
    }

    // ERROR
    else
    {
        trigger_error("ERROR: UNABLE TO OPEN $filename", E_USER_ERROR);
    }
}

Open in new window

Please post back if you still have any questions, ~Ray
0
 
LVL 1

Author Comment

by:machine_run
ID: 39940848
Users get an error if they go to the directory itself, but how can one restrict access to contents?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940851
Do they get an HTTP 403 error?
0
 
LVL 1

Author Comment

by:machine_run
ID: 39940860
404 (Page Not Found) Error when they go to a directory
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39940864
You can restrict access to the contents by putting the directory outside of the WWW root.  As a result, there will be no URL for any of the contents of the directory.  A script that is inside the WWW root tree (and therefore has a URL) can access the directory to allow a download, but the external clients cannot; they must go through the script.  If that script is password protected, you're relatively safe.

Just remember, no matter what protections you put on your site, once a file has been downloaded, it has been released into the wild.  That's why it may be smart to mark the downloaded files showing who downloaded them.  It may discourage unauthorized distribution.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940875
What Ray suggested is correct.

Here is another reference using .htaccess.

stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc
0
 
LVL 1

Author Closing Comment

by:machine_run
ID: 40101076
THANKS
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn by example how to specify CSS selectors for Selenium WebDriver test automation software.
Because your company can’t afford for you to make SEO mistakes, you’ll want to ensure you’re taking the right steps each and every time you post a new piece of content. This list of optimization do’s and don’ts can help you become an SEO wizard.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question