Zubrag.com :: Forum

zubrag.com => Smart File Download => Topic started by: zubragbillone on May 18, 2007, 03:05:30 AM



Title: Combining two scripts to password_protect files
Post by: zubragbillone on May 18, 2007, 03:05:30 AM
Thanks a lot for your scripts. I'm a total newbie,  but it only took 5 minutes for me to get them work.

As a sign of gratitude,  I'd like to share with you and the community an experiment I just run.

I had noticed that,  using Smart file download,  once you download a file (a pdf,  in my case) you can retrieve the url  http://whatever.whatever.xxx/download.php?f=filename.pdf and that, typing this url in the address bar,  you can download the file even without entering the site.  (In my case,  I link to that file from a password_protected page,  that requires log-in.  However,  once you know the above path for the filename.pdf,  I could download the file from anywhere).

So,  what I did was to add the line:
<?php include("/whatever/whatever/password_protect.php"); ?>
that one uses to password protect a page at the top of the download.php file.

Now,  if I try to type http://whatever.whatever.xxx/download.php?f=filename.pdf  without having logged-in before,  I am asked for my username and password.

For me, this is a way of password-protecting files which I find very convenient for my purposes.

As I said before,  I'm a newbie,  so do not trust me.  It is working perfectly for now,  but I do not why - which should induce other readers to be very cautious.

In any case,  thanks a lot,  and keep up the good work!

Giuseppe


Title: Password protect download
Post by: zubrag on May 18, 2007, 05:44:46 AM
Hi Giuseppe.

Great tip! I'm sure a lot of people will find your tip very helpful.  Thank you for sharing!


Title: Re: Combining two scripts to password_protect files
Post by: altoyes on January 26, 2008, 12:34:14 AM
thankyou guisseppe

i have used password protect directory in cpanel before, so i understand how that works.

in this instance, how does password protecting the page work?
does that mean that all people who wanted to access the download page all need to have been given the username and password?

alto


Title: Re: Combining two scripts to password_protect files
Post by: zubragbillone on January 28, 2008, 09:48:49 AM
Hi alto,

The page is protected in the usual way by the password protector script.  What you get by combining the two scripts (i.e.,  adding that line at the top of the download script) is protection of the FILE.
That is,  if you know the url/name of the file and type it without having accessed the site before,  in order to proceed with the download you will be asked for your username and password.
(If you do not combine the scripts,  and you know the file name/url, you can download the file without entering the protected page - in other words,  downloads are unprotected.  Try!)
Hope it helps!   


Title: Re: Combining two scripts to password_protect files
Post by: Marsha on March 23, 2008, 05:00:53 PM
Hello all...

I am a total newbie, so I hope someone can help me or direct me to a script that will meet our purpose.

I am a volunteer webmaster for a non-profit organization and I am trying to convince the club to give the "option" of downloading its monthly Newsletter electronically to save printing & mailing costs and use the savings to prevent future dues increases. The question arises, how to control downloads only to members and only a one time download each month. 
 
Do you know of a script or have a suggestion for a script that will query a membership database (MS Access?) and if the member is found by Membership Number, Zip Code and Password (perhaps different variables), allow them ONE download of the file (Newsletter) monthly and mark their record accordingly to prevent duplicate downloads. Then monthly, when a new Newsletter is added (previous month removed), reset all of the download indicators for each member in the data base back to null.  The script would need to be able to add and delete members.
 
Any suggestions would be very much appreciated.

Marsha


Title: Re: Combining two scripts to password_protect files
Post by: fotog1958 on December 09, 2008, 03:13:28 PM
I'm interested in your post and am trying to understand where exactly you add the password protection scription to the file to be downloaded.

You say:

"So,  what I did was to add the line:
<?php include("/whatever/whatever/password_protect.php"); ?>
that one uses to password protect a page at the top of the download.php file."

I don't quite follow this.  How do I add this line to the file?  The file is all bundled up sitting on the server with a specific address.  How do I get in and make the file have the first line be the password protection script?  Is there a line editor for that or is this something I set up on the server?


Title: Re: Combining two scripts to password_protect files
Post by: zzzzz on May 19, 2009, 09:31:15 AM
This was a gret tip,  perfect for what I was looking for!
Thanks!!!!!!!!!!!


Title: Re: Combining two scripts to password_protect files
Post by: auston336 on April 30, 2010, 04:00:13 AM
This being a student productivity blog, I think I should set a good example by halting my writing during exams. As much as I would love to spend extra time writing, studying is higher priority. Regular posting will resume on June 12th, after exams. For now, I leave you with this post.


Title: Re: Combining two scripts to password_protect files
Post by: 1ststop on May 03, 2010, 12:00:22 PM
This 'problem' is not actually an issue at all if you enter the correct settings in download.php.

There is a setting for allowed referrer. If this is left blank then you are able to access the file by entering the URL of the file. What you need to do to avoid it (and therefore not require the addition of the external protection script) is enter your domain as the 'allowed' referrer. Then the file can only be accessed via a direct link from a page on the 'allowed referrer's' pages.

Zubrag's scripts are all extremely well thought out and all work as he says they do. The biggest 'problem' is that the users don't read his basic instructions that he includes within all the code.
It seems to me that many users provide solutions to problems that don't exist! Just take some time to read Zubrag's notes within his code and you'll have a solution BEFORE you find a so-called problem.


Title: Re: Combining two scripts to password_protect files
Post by: zubragbillone on June 10, 2010, 09:25:27 AM
This 'problem' is not actually an issue at all if you enter the correct settings in download.php.

There is a setting for allowed referrer. If this is left blank then you are able to access the file by entering the URL of the file. What you need to do to avoid it (and therefore not require the addition of the external protection script) is enter your domain as the 'allowed' referrer. Then the file can only be accessed via a direct link from a page on the 'allowed referrer's' pages.

Zubrag's scripts are all extremely well thought out and all work as he says they do. The biggest 'problem' is that the users don't read his basic instructions that he includes within all the code.
It seems to me that many users provide solutions to problems that don't exist! Just take some time to read Zubrag's notes within his code and you'll have a solution BEFORE you find a so-called problem.

At the time I opened this thread, in the smartdownload file  there was no setting for allowed referrer.   Maybe it was introduced,  and a new version of the downloader put forward,  exactly in reponse to it.
Next time,  rather than treating other people like stupid who cannot even read instructions,  think twice before opening your mouth - and I'm saying this since I take for granted you cannot thank people who try to contribute to the community,  like Zubrag did a long time ago in post#2.


Title: Re: Combining two scripts to password_protect files
Post by: zubrag on June 11, 2010, 01:33:14 AM
I'd say it is much easier to setup protection using "allowed referrer" feature in download script than use a combination of downloader/password protector proposed by zubragbillone. BUT "allowed referrer" is less secure - referrer can be spoofed while downloader/password protect combination will not allow to download without providing correct password.  So protection approach depends on how sensitive info is, and how "advanced" your target audience is.


Title: Re: Combining two scripts to password_protect files
Post by: ef on September 20, 2010, 08:47:43 AM
Sorry to sound so ignorant - but how do I do this?
"I'd say it is much easier to setup protection using "allowed referrer" feature in download script"

I have several pdf files available on my site that I'd like this for (info isn't too sensitive). BTW, thanks for the password protect script!


Title: Re: Combining two scripts to password_protect files
Post by: zubrag on September 20, 2010, 09:30:51 AM
http://www.zubrag.com/scripts/download.php has following option
define('ALLOWED_REFERRER', '');

if not empty then download.php will check if browser referrer string contains that value. For exam[le if your site is www.example.com and you set define('ALLOWED_REFERRER', 'example.com'); script will make sure download initiated from example.com


Title: Re: Combining two scripts to password_protect files
Post by: Peter_hauritz on October 14, 2010, 11:54:57 PM
Great tip! I'm sure a lot of people will find your tip very helpful.  Thank you for sharing!


Title: Re: Combining two scripts to password_protect files
Post by: alfalambda on March 28, 2011, 12:26:56 PM
I'm definitely a newcomer; so, sorry for my naiveness.
Yes, with http://whatever.whatever.xxx/download.php?f=filename.pdf I'm asked for usn/pwd
But, with http://whatever.whatever.xxx/filename.pdf  I plainly get the filename.pdf

How to avoid this?

Thanks

alfalambda


Title: Re: Combining two scripts to password_protect files
Post by: zubrag on March 29, 2011, 12:28:32 AM
The idea is your direct (plain) file path should be unknown and you shouldn't expose it to the world. You only expose your "Yes" link.

If you'd like to avoid direct file access, you'll have to use url rewriting (if your server has mod_rewrite module loaded). Either add url rewrite rule for all your files , or place them in one folder and add one rule for all. I'm not good at rewriting rules, but rule will have to map urls of this structure http://example.com/some/folder/filename.ext to http://example.com/path/to/download.php?f=filename.ext


Title: Re: Combining two scripts to password_protect files
Post by: zubragbillone on March 27, 2012, 04:46:30 AM
I'm definitely a newcomer; so, sorry for my naiveness.
Yes, with http://whatever.whatever.xxx/download.php?f=filename.pdf I'm asked for usn/pwd
But, with http://whatever.whatever.xxx/filename.pdf  I plainly get the filename.pdf

How to avoid this?

Thanks

alfalambda

Well,  I don't - if I do not log in to the site,  I get "404 Error File Not Found"