Combining two scripts to password_protect files

[zubragbillone]

Thanks a lot for your scripts. I'm a total newbie,  but it only took 5 minutes for me to get them work.

As a sign of gratitude,  I'd like to share with you and the community an experiment I just run.

I had noticed that,  using Smart file download,  once you download a file (a pdf,  in my case) you can retrieve the url  http://whatever.whatever.xxx/download.php?f=filename.pdf and that, typing this url in the address bar,  you can download the file even without entering the site.  (In my case,  I link to that file from a password_protected page,  that requires log-in.  However,  once you know the above path for the filename.pdf,  I could download the file from anywhere).

So,  what I did was to add the line:
<?php include("/whatever/whatever/password_protect.php"); ?>
that one uses to password protect a page at the top of the download.php file.

Now,  if I try to type http://whatever.whatever.xxx/download.php?f=filename.pdf  without having logged-in before,  I am asked for my username and password.

For me, this is a way of password-protecting files which I find very convenient for my purposes.

As I said before,  I'm a newbie,  so do not trust me.  It is working perfectly for now,  but I do not why - which should induce other readers to be very cautious.

In any case,  thanks a lot,  and keep up the good work!

Giuseppe

[zubrag]

Hi Giuseppe.

Great tip! I'm sure a lot of people will find your tip very helpful.  Thank you for sharing!

[altoyes]

thankyou guisseppe

i have used password protect directory in cpanel before, so i understand how that works.

in this instance, how does password protecting the page work?
does that mean that all people who wanted to access the download page all need to have been given the username and password?

alto

[zubragbillone]

Hi alto,

The page is protected in the usual way by the password protector script.  What you get by combining the two scripts (i.e.,  adding that line at the top of the download script) is protection of the FILE.
That is,  if you know the url/name of the file and type it without having accessed the site before,  in order to proceed with the download you will be asked for your username and password.
(If you do not combine the scripts,  and you know the file name/url, you can download the file without entering the protected page - in other words,  downloads are unprotected.  Try!)
Hope it helps!   

[Marsha]

Hello all...

I am a total newbie, so I hope someone can help me or direct me to a script that will meet our purpose.

I am a volunteer webmaster for a non-profit organization and I am trying to convince the club to give the "option" of downloading its monthly Newsletter electronically to save printing & mailing costs and use the savings to prevent future dues increases. The question arises, how to control downloads only to members and only a one time download each month. 
 
Do you know of a script or have a suggestion for a script that will query a membership database (MS Access?) and if the member is found by Membership Number, Zip Code and Password (perhaps different variables), allow them ONE download of the file (Newsletter) monthly and mark their record accordingly to prevent duplicate downloads. Then monthly, when a new Newsletter is added (previous month removed), reset all of the download indicators for each member in the data base back to null.  The script would need to be able to add and delete members.
 
Any suggestions would be very much appreciated.

Marsha

[fotog1958]

I'm interested in your post and am trying to understand where exactly you add the password protection scription to the file to be downloaded.

You say:

"So,  what I did was to add the line:
<?php include("/whatever/whatever/password_protect.php"); ?>
that one uses to password protect a page at the top of the download.php file."

I don't quite follow this.  How do I add this line to the file?  The file is all bundled up sitting on the server with a specific address.  How do I get in and make the file have the first line be the password protection script?  Is there a line editor for that or is this something I set up on the server?

[zzzzz]

This was a gret tip,  perfect for what I was looking for!
Thanks!!!!!!!!!!!

[auston336]

This being a student productivity blog, I think I should set a good example by halting my writing during exams. As much as I would love to spend extra time writing, studying is higher priority. Regular posting will resume on June 12th, after exams. For now, I leave you with this post.

[1ststop]

This 'problem' is not actually an issue at all if you enter the correct settings in download.php.

There is a setting for allowed referrer. If this is left blank then you are able to access the file by entering the URL of the file. What you need to do to avoid it (and therefore not require the addition of the external protection script) is enter your domain as the 'allowed' referrer. Then the file can only be accessed via a direct link from a page on the 'allowed referrer's' pages.

Zubrag's scripts are all extremely well thought out and all work as he says they do. The biggest 'problem' is that the users don't read his basic instructions that he includes within all the code.
It seems to me that many users provide solutions to problems that don't exist! Just take some time to read Zubrag's notes within his code and you'll have a solution BEFORE you find a so-called problem.

[zubragbillone]

This 'problem' is not actually an issue at all if you enter the correct settings in download.php.

There is a setting for allowed referrer. If this is left blank then you are able to access the file by entering the URL of the file. What you need to do to avoid it (and therefore not require the addition of the external protection script) is enter your domain as the 'allowed' referrer. Then the file can only be accessed via a direct link from a page on the 'allowed referrer's' pages.

Zubrag's scripts are all extremely well thought out and all work as he says they do. The biggest 'problem' is that the users don't read his basic instructions that he includes within all the code.
It seems to me that many users provide solutions to problems that don't exist! Just take some time to read Zubrag's notes within his code and you'll have a solution BEFORE you find a so-called problem.

At the time I opened this thread, in the smartdownload file  there was no setting for allowed referrer.   Maybe it was introduced,  and a new version of the downloader put forward,  exactly in reponse to it.
Next time,  rather than treating other people like stupid who cannot even read instructions,  think twice before opening your mouth - and I'm saying this since I take for granted you cannot thank people who try to contribute to the community,  like Zubrag did a long time ago in post#2.

[zubrag]

I'd say it is much easier to setup protection using "allowed referrer" feature in download script than use a combination of downloader/password protector proposed by zubragbillone. BUT "allowed referrer" is less secure - referrer can be spoofed while downloader/password protect combination will not allow to download without providing correct password.  So protection approach depends on how sensitive info is, and how "advanced" your target audience is.

[ef]

Sorry to sound so ignorant - but how do I do this?
"I'd say it is much easier to setup protection using "allowed referrer" feature in download script"

I have several pdf files available on my site that I'd like this for (info isn't too sensitive). BTW, thanks for the password protect script!

[zubrag]

http://www.zubrag.com/scripts/download.php has following option
define('ALLOWED_REFERRER', '');

if not empty then download.php will check if browser referrer string contains that value. For exam[le if your site is www.example.com and you set define('ALLOWED_REFERRER', 'example.com'); script will make sure download initiated from example.com

[Peter_hauritz]

Great tip! I'm sure a lot of people will find your tip very helpful.  Thank you for sharing!