file protection

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi !
anyone can tell me a way to protect files from being downloaded from other  
sites using php ?



Re: file protection

Hash: SHA1

Yannick Benoit wrote:

Quoted text here. Click to load it

Don't put the files in the document root of your webserver, use readfile()
or a silimar function to provide the file, and check the HTTP referrer.

- --  
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

Cuando la sociedad esté preparada intentaré ser diferente.
Version: GnuPG v1.4.2 (GNU/Linux)


Re: file protection

I know I could use login and check http_referers.
But when the person gets to download the file then he
has the direct link to the file so later he doesnt have to
login anymore. That is when I want to prevent.
I dont want people to be able to downlaod the file directly
without being authenticated.

Thank you for your help.

Quoted text here. Click to load it

Re: file protection

On 12/22/2005 6:21 PM, Yannick Benoit wrote:
Quoted text here. Click to load it

Go through a login script the first time and set a cookie with authentication  
info.  The next time the login script is run, check for the cookie first, and,  
if authenticated, skip the login.

This allows a user to save a link to a file (perhaps as ) and load it anytime.  She  
needs to authenticate explicitly the first time only; thereafter the  
authentication is done silently.

Bob Smith --

To reply to me directly, delete "despam".

Re: file protection

Quoted text here. Click to load it

So make sure the *ONE* and *ONLY* URL that can be used to retrieve
the file checks whether the person is logged in.

Quoted text here. Click to load it

Put the actual file outside the document tree so the web server
will not serve it directly with any URL.  Install in the document
tree a PHP page that checks that the user is logged in, then generates
an appropriate content-type header, then serves the file by calling
fpassthru().  The file can be anything you want: image, executable,
virus, .zip, or whatever, and its being binary won't hurt.

This is the URL you give to a user.  The user can post it on the
Internet if he wants to, or you can let Google index it, but assuming
you properly wrote your login check, nobody can get the file unless
they are logged in.

I recommend the uses of PHP sessions for handling logins, but there
are other ways that work also.

                    Gordon L. Burditt

Re: file protection


Quoted text here. Click to load it

 Bear in mind that sites don't download files - clients do. Do you really mean
you want to prevent other sites linking to your files?

 You could put the files behind some sort of login system.  

 Checking HTTP_REFERER will no doubt be mentioned, but this is unreliable -
browsers are under no obligation to send the header, or populate it with the
correct value. It might be reliable enough for your needs; I don't know what
the numbers are on how many browsers send real referrer values, at a wild guess
I'd say maybe 75%? To avoid annoying legitimate users, it should accept blank
values for HTTP_REFERER, and only reject values that don't match your site, if
you choose this method.

Andy Hassall :: :: :: disk and FTP usage analysis tool

Re: file protection

Yannick Benoit wrote:
Quoted text here. Click to load it

You may want to take a peep at


Or even readfile @

Put the files outside the web directory, validate the access and serve
the files (or not) with readfile().

$done = false;
if ($_SESSION['ok_to_download']) {
  $filename = convert_id_to_filename((int)$_GET['id']);
  if (($filename !== false) && (file_exists($filename)) && (is_readable($filename))) {
    // send headers
    // readfile($filename);
    $done = true;
if (!$done) {
  header('Content-Type: text/plain');
  echo 'You can't do that now.';
Mail to my "From:" address is readable by all at
== ** ## !! ------------------------------------------------ !! ## ** ==
may bypass my spam filter. If it does, I may reply from another address!

Site Timeline