Gossamer Forum
(Advanced Search)
for
Home : General : Internet Technologies :

Hiding direct paths, can it be done?

Jun 28, 2003, 7:18 PM
Unquick
Novice (35 posts)
Unquick's avatar
Jun 28, 2003, 7:18 PM
Post #1 of 10
Views: 9139
Shortcut
Quote Reply
Hiding direct paths, can it be done?
Is there anyway you can hide the actual path/url of a file so that a person can't get at it if they are not logged in for example? using PHP not htaccess?

I have seen it in the past, where the link points to a directory made up of random letters and numbers ie.
http://hostname.com/download.php?Hk638jhnJK700w88vmf and then they are redirected to the file.

i hope this makes sence, simply put I need a way to hide the actual location of a file so people can't just simply download it without loging in.

Any suggestions would be helpful
Jun 29, 2003, 6:11 AM
Andy
Veteran / Moderator (18441 posts)
Andy's avatar
Jun 29, 2003, 6:11 AM
Post #2 of 10
Views: 8935
Shortcut
Quote Reply
Re: [Unquick] Hiding direct paths, can it be done? In reply to
I have a script that does something similar. It could be quite easily modified to suite your needs. Its for my dowload stuff on LinksSQL.net, so I obviously do not want to post it in public. If you are interested, please let me know, and I'll PM you a copy over.

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Jun 29, 2003, 12:37 PM
Alex
Administrator (9387 posts)
Jun 29, 2003, 12:37 PM
Post #3 of 10
Views: 8924
Shortcut
Quote Reply
Re: [Unquick] Hiding direct paths, can it be done? In reply to
The basic premise is you have your php authenticate a key or password, and then have it return the file (print the proper header, then open the file, then print out the file). You want to make sure the file is outside of the document root, so users can't get to it directly.

Cheers,

Alex
--
Gossamer Threads Inc.
Jun 29, 2003, 1:36 PM
Unquick
Novice (35 posts)
Unquick's avatar
Jun 29, 2003, 1:36 PM
Post #4 of 10
Views: 8921
Shortcut
Quote Reply
Re: [Andy] Hiding direct paths, can it be done? In reply to
Andy, defiantly IM me the source I would love to have a look at how you've done it.

Thanx
Jun 29, 2003, 1:40 PM
Unquick
Novice (35 posts)
Unquick's avatar
Jun 29, 2003, 1:40 PM
Post #5 of 10
Views: 8949
Shortcut
Quote Reply
Re: [Alex] Hiding direct paths, can it be done? In reply to
In Reply To:
The basic premise is you have your php authenticate a key or password, and then have it return the file (print the proper header, then open the file, then print out the file). You want to make sure the file is outside of the document root, so users can't get to it directly.

Cheers,

Alex


I will just use sessions to check that the person is actually logged in, if not they will get redirected to the login page. Now I tried this header:

header("Location: http://www.domainname.com/files/file.exe");

and it seems to work fine. I do not see how anyone could know the location of where the file is comming from. Now my question is why do I need to open and print the file, it seem to work just fine by printing the header? Also I noticed that you can use .htaccess to password protect the directory the file is in, so even if they got the exact URL it would still be in accessable because of the password protection on the DIR. Let me know if I'm right or wrong, I would still consider myself pretty new to PHP and security so any help or thoughts would be apprecated.

Cheers

Last edited by:

Unquick: Jun 29, 2003, 1:59 PM
Jun 29, 2003, 2:49 PM
Alex
Administrator (9387 posts)
Jun 29, 2003, 2:49 PM
Post #6 of 10
Views: 8917
Shortcut
Quote Reply
Re: [Unquick] Hiding direct paths, can it be done? In reply to
Hi,

That really isn't that secure though, as someone can see the file URL after they are redirected, and could post it somewhere. To be really secure you should store your file outside of the document root, then in php authenticate the user, and then print a content type header, open the file, and then print the file. This way there is no way to get at the file except through the php script.

If you use .htaccess, then the user would need to enter another user/pass in order to get the file.

Cheers,

Alex
--
Gossamer Threads Inc.
Jun 29, 2003, 2:56 PM
Unquick
Novice (35 posts)
Unquick's avatar
Jun 29, 2003, 2:56 PM
Post #7 of 10
Views: 8942
Shortcut
Quote Reply
Re: [Alex] Hiding direct paths, can it be done? In reply to
In Reply To:
If you use .htaccess, then the user would need to enter another user/pass in order to get the file.


this is what is in the file 'test.php' (http://www.trilliandesigns.com/test.php):
<?php
header("Location: http://www.trilliandesigns.com/files/winamp123.exe");
?>

Notice where the file is located: /files/... which is protected by .htaccess
http://trilliandesigns.com/files/


Try it. Could it be my server settings? I'm not being asked for user/pass when I access it through test.php, probably because it's server side?

Last edited by:

Unquick: Jun 29, 2003, 3:02 PM
Jun 29, 2003, 3:01 PM
Unquick
Novice (35 posts)
Unquick's avatar
Jun 29, 2003, 3:01 PM
Post #8 of 10
Views: 8953
Shortcut
Quote Reply
Re: [Unquick] Hiding direct paths, can it be done? In reply to
Never mind, I'm a retard, the user/pass was getting cached =)
I'll try the open/print thing =)

It's one of those days!!! Crazy

Last edited by:

Unquick: Jun 29, 2003, 3:03 PM
Jul 6, 2003, 9:14 PM
Unquick
Novice (35 posts)
Unquick's avatar
Jul 6, 2003, 9:14 PM
Post #9 of 10
Views: 8881
Shortcut
Quote Reply
Re: Hiding direct paths, can it be done? In reply to
Ok here is what I've come up with. Have a look at the problem that i am having. If you go to this URL and download the file and once it is finished refresh the PHP script you get this error:

Warning: fread(): supplied argument is not a valid stream resource in /home/trillia/public_html/temp_files/test.php on line 28

Warning: feof(): supplied argument is not a valid stream resource in /home/trillia/public_html/temp_files/test.php on line 27

Code:
<?php
$filename = $file;if(file_exists("/home/trillia/public_html/temp_files/files/$filename")){$contentType = '';
$fp=popen("-bin /home/trillia/public_html/temp_files/files/$filename", 'r'); if (!$fp) $contentType='application/octet-stream';
else {
while($string=fgets($fp, 1024)) $contentType .= $string;
pclose($fp);
} if(strpos($HTTP_SERVER_VARS['HTTP_USER_AGENT'], 'MSIE')){
// IE cannot download from sessions without a cache
header('Cache-Control: private');
}else{
header("Cache-Control: no-store, no-cache, must-revalidate");
} header("Content-type: $contentType");
header("Content-length:".(string)(filesize("/home/trillia/public_html/temp_files/files/$filename")));
header("Content-Disposition: attachment; filename=$file");$fd=fopen($filename,'rb');
while(!feof($fd)) {
print fread($fd, 4096);
} fclose($fd);}else{
print "File Not Found";
}?>


And this is the URL: http://www.trilliandesigns.com/...php?file=winamp3.exe

let me know if you can figure this one out. I was thinking that the file isn't closing properly, but I don't know.
Jul 7, 2003, 12:48 AM
brewt
Staff (4101 posts)
brewt's avatar
Jul 7, 2003, 12:48 AM
Post #10 of 10
Views: 8858
Shortcut
Quote Reply
Re: [Unquick] Hiding direct paths, can it be done? In reply to
You really shouldn't trust input from the web like that, especially when it deals with files. Someone could easily pass in file=../../../../../../../../../etc/passwd to download the passwd file on your server.

Adrian