Zubrag.com
August 21, 2017, 09:46:40 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Pages: [1] 2
  Print  
Author Topic: Combining two scripts to password_protect files  (Read 65887 times)
zubragbillone
Newbie
*
Posts: 9


« on: May 18, 2007, 03:05:30 AM »

Thanks a lot for your scripts. I'm a total newbie,  but it only took 5 minutes for me to get them work.

As a sign of gratitude,  I'd like to share with you and the community an experiment I just run.

I had noticed that,  using Smart file download,  once you download a file (a pdf,  in my case) you can retrieve the url  http://whatever.whatever.xxx/download.php?f=filename.pdf and that, typing this url in the address bar,  you can download the file even without entering the site.  (In my case,  I link to that file from a password_protected page,  that requires log-in.  However,  once you know the above path for the filename.pdf,  I could download the file from anywhere).

So,  what I did was to add the line:
<?php include("/whatever/whatever/password_protect.php"); ?>
that one uses to password protect a page at the top of the download.php file.

Now,  if I try to type http://whatever.whatever.xxx/download.php?f=filename.pdf  without having logged-in before,  I am asked for my username and password.

For me, this is a way of password-protecting files which I find very convenient for my purposes.

As I said before,  I'm a newbie,  so do not trust me.  It is working perfectly for now,  but I do not why - which should induce other readers to be very cautious.

In any case,  thanks a lot,  and keep up the good work!

Giuseppe

Logged
zubrag
Administrator
Hero Member
*****
Posts: 785


WWW
« Reply #1 on: May 18, 2007, 05:44:46 AM »

Hi Giuseppe.

Great tip! I'm sure a lot of people will find your tip very helpful.  Thank you for sharing!
Logged
altoyes
Newbie
*
Posts: 4


« Reply #2 on: January 26, 2008, 12:34:14 AM »

thankyou guisseppe

i have used password protect directory in cpanel before, so i understand how that works.

in this instance, how does password protecting the page work?
does that mean that all people who wanted to access the download page all need to have been given the username and password?

alto
Logged
zubragbillone
Newbie
*
Posts: 9


« Reply #3 on: January 28, 2008, 09:48:49 AM »

Hi alto,

The page is protected in the usual way by the password protector script.  What you get by combining the two scripts (i.e.,  adding that line at the top of the download script) is protection of the FILE.
That is,  if you know the url/name of the file and type it without having accessed the site before,  in order to proceed with the download you will be asked for your username and password.
(If you do not combine the scripts,  and you know the file name/url, you can download the file without entering the protected page - in other words,  downloads are unprotected.  Try!)
Hope it helps!   
Logged
Marsha
Newbie
*
Posts: 1


« Reply #4 on: March 23, 2008, 05:00:53 PM »

Hello all...

I am a total newbie, so I hope someone can help me or direct me to a script that will meet our purpose.

I am a volunteer webmaster for a non-profit organization and I am trying to convince the club to give the "option" of downloading its monthly Newsletter electronically to save printing & mailing costs and use the savings to prevent future dues increases. The question arises, how to control downloads only to members and only a one time download each month. 
 
Do you know of a script or have a suggestion for a script that will query a membership database (MS Access?) and if the member is found by Membership Number, Zip Code and Password (perhaps different variables), allow them ONE download of the file (Newsletter) monthly and mark their record accordingly to prevent duplicate downloads. Then monthly, when a new Newsletter is added (previous month removed), reset all of the download indicators for each member in the data base back to null.  The script would need to be able to add and delete members.
 
Any suggestions would be very much appreciated.

Marsha
Logged
fotog1958
Newbie
*
Posts: 1


« Reply #5 on: December 09, 2008, 03:13:28 PM »

I'm interested in your post and am trying to understand where exactly you add the password protection scription to the file to be downloaded.

You say:

"So,  what I did was to add the line:
<?php include("/whatever/whatever/password_protect.php"); ?>
that one uses to password protect a page at the top of the download.php file."

I don't quite follow this.  How do I add this line to the file?  The file is all bundled up sitting on the server with a specific address.  How do I get in and make the file have the first line be the password protection script?  Is there a line editor for that or is this something I set up on the server?
Logged
zzzzz
Newbie
*
Posts: 1


« Reply #6 on: May 19, 2009, 09:31:15 AM »

This was a gret tip,  perfect for what I was looking for!
Thanks!!!!!!!!!!!
Logged
auston336
Newbie
*
Posts: 1


« Reply #7 on: April 30, 2010, 04:00:13 AM »

This being a student productivity blog, I think I should set a good example by halting my writing during exams. As much as I would love to spend extra time writing, studying is higher priority. Regular posting will resume on June 12th, after exams. For now, I leave you with this post.
Logged

heidy
1ststop
Newbie
*
Posts: 30


« Reply #8 on: May 03, 2010, 12:00:22 PM »

This 'problem' is not actually an issue at all if you enter the correct settings in download.php.

There is a setting for allowed referrer. If this is left blank then you are able to access the file by entering the URL of the file. What you need to do to avoid it (and therefore not require the addition of the external protection script) is enter your domain as the 'allowed' referrer. Then the file can only be accessed via a direct link from a page on the 'allowed referrer's' pages.

Zubrag's scripts are all extremely well thought out and all work as he says they do. The biggest 'problem' is that the users don't read his basic instructions that he includes within all the code.
It seems to me that many users provide solutions to problems that don't exist! Just take some time to read Zubrag's notes within his code and you'll have a solution BEFORE you find a so-called problem.
Logged
zubragbillone
Newbie
*
Posts: 9


« Reply #9 on: June 10, 2010, 09:25:27 AM »

This 'problem' is not actually an issue at all if you enter the correct settings in download.php.

There is a setting for allowed referrer. If this is left blank then you are able to access the file by entering the URL of the file. What you need to do to avoid it (and therefore not require the addition of the external protection script) is enter your domain as the 'allowed' referrer. Then the file can only be accessed via a direct link from a page on the 'allowed referrer's' pages.

Zubrag's scripts are all extremely well thought out and all work as he says they do. The biggest 'problem' is that the users don't read his basic instructions that he includes within all the code.
It seems to me that many users provide solutions to problems that don't exist! Just take some time to read Zubrag's notes within his code and you'll have a solution BEFORE you find a so-called problem.

At the time I opened this thread, in the smartdownload file  there was no setting for allowed referrer.   Maybe it was introduced,  and a new version of the downloader put forward,  exactly in reponse to it.
Next time,  rather than treating other people like stupid who cannot even read instructions,  think twice before opening your mouth - and I'm saying this since I take for granted you cannot thank people who try to contribute to the community,  like Zubrag did a long time ago in post#2.
Logged
zubrag
Administrator
Hero Member
*****
Posts: 785


WWW
« Reply #10 on: June 11, 2010, 01:33:14 AM »

I'd say it is much easier to setup protection using "allowed referrer" feature in download script than use a combination of downloader/password protector proposed by zubragbillone. BUT "allowed referrer" is less secure - referrer can be spoofed while downloader/password protect combination will not allow to download without providing correct password.  So protection approach depends on how sensitive info is, and how "advanced" your target audience is.
Logged
ef
Newbie
*
Posts: 1


« Reply #11 on: September 20, 2010, 08:47:43 AM »

Sorry to sound so ignorant - but how do I do this?
"I'd say it is much easier to setup protection using "allowed referrer" feature in download script"

I have several pdf files available on my site that I'd like this for (info isn't too sensitive). BTW, thanks for the password protect script!
Logged
zubrag
Administrator
Hero Member
*****
Posts: 785


WWW
« Reply #12 on: September 20, 2010, 09:30:51 AM »

http://www.zubrag.com/scripts/download.php has following option
define('ALLOWED_REFERRER', '');

if not empty then download.php will check if browser referrer string contains that value. For exam[le if your site is www.example.com and you set define('ALLOWED_REFERRER', 'example.com'); script will make sure download initiated from example.com
Logged
Peter_hauritz
Newbie
*
Posts: 3


« Reply #13 on: October 14, 2010, 11:54:57 PM »

Great tip! I'm sure a lot of people will find your tip very helpful.  Thank you for sharing!
Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC