Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Prevent download of files???

Posted on 2014-03-19
8
Medium Priority
?
274 Views
Last Modified: 2014-05-30
Is there a way to prevent a user who has a URL to a file (PDF) from downloading it? I have a site built in PHP. I need to prevent PDF downloads by users who are not logged into the site, but the URLs of PDF documents are getting around.

TIA
0
Comment
Question by:machine_run
  • 3
  • 3
  • 2
8 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940808
Would restrict the directory where the PDFs are stored to logged in users only.
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 39940844
You can put the PDF files in a directory or directory tree that is outside of the WWW root.  Then you can have a password-protected script that permits a client to download the PDFs.  The script that permits the downloads can also update a data base to record who downloaded what and when.  If you create the PDF files on the fly, you can even embed the client's name and email address in the footer!

How to password-protect web pages:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

How to force a download:
<?php // demo/force_download.php
error_reporting(E_ALL);
ini_set('display_errors', TRUE);
ini_set('log_errors',     TRUE);


// DEMONSTRATE HOW TO CAUSE A FILE DOWNLOAD


// REQUIRED FOR USE WITH THE PHP date() FUNCTIONS
date_default_timezone_set('America/New_York');

// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET, OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.IcoNoun.com/demo/short_text_file.txt";

// THE USE CASE FOR THE FUNCTION
force_download($url);


// FUNCTION TO FORCE A DOWNLOAD FROM A FILE
function force_download($filename)
{
    // GET THE CONTENTS OF THE FILE
    $filedata = @file_get_contents($filename);

    // SUCCESS
    if ($filedata)
    {
        // GET A NAME FOR THE FILE
        $basename = basename($filename);

        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=$basename");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // WRITE THE FILE
        echo $filedata;
    }

    // ERROR
    else
    {
        trigger_error("ERROR: UNABLE TO OPEN $filename", E_USER_ERROR);
    }
}

Open in new window

Please post back if you still have any questions, ~Ray
0
 
LVL 1

Author Comment

by:machine_run
ID: 39940848
Users get an error if they go to the directory itself, but how can one restrict access to contents?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940851
Do they get an HTTP 403 error?
0
 
LVL 1

Author Comment

by:machine_run
ID: 39940860
404 (Page Not Found) Error when they go to a directory
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39940864
You can restrict access to the contents by putting the directory outside of the WWW root.  As a result, there will be no URL for any of the contents of the directory.  A script that is inside the WWW root tree (and therefore has a URL) can access the directory to allow a download, but the external clients cannot; they must go through the script.  If that script is password protected, you're relatively safe.

Just remember, no matter what protections you put on your site, once a file has been downloaded, it has been released into the wild.  That's why it may be smart to mark the downloaded files showing who downloaded them.  It may discourage unauthorized distribution.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940875
What Ray suggested is correct.

Here is another reference using .htaccess.

stackoverflow.com/questions/2187200/using-php-apache-to-restrict-access-to-static-files-html-css-img-etc
0
 
LVL 1

Author Closing Comment

by:machine_run
ID: 40101076
THANKS
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses
Course of the Month20 days, 20 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question