I'm about ready to pull my hair out! This is the 3rd time one of my websites has been hacked due to pissed off usability. We host videos on one site and to ensure users actually download the videos as opposed to streaming them we had implemented some php scripting that forced users to download. Needless to say, an angry group of juvi-hackers who did not like being forced into a download got mad and have found ways to corrupt the script and/or disable php so they could see the actual file links and distribute them freely for streaming. I would like to deploy a type of "download delivery application" similar to Kontiki used on http://www.Cnet.com or the one used at http://www.Quicktime.com that will ensure files hidden to a web browser are actually downloaded as opposed to streaming. We have gone the route of the .zip file to force a download but at times, these can become corrupt when you have over 10,000 users downloading the same .zip at the same time. The only good way to do it is to keep the file in its original .mpg format. The only way I know of that is published on the net is with an OCTET stream script in PHP or ASP. This no longer works (or works for a while). I am running on a Linux Redhat 7.3 server with Ensim 3.1. Any suggestions besides using http://www.Kontiki.com download delivery? Their sales people haven't gotten back to me and i fear their product will only run on Windows platforms. I'm sure the product will cost a pretty penny. Anyone here heard of anything like this that is Free? Like BitTorrent (but without all the added P2P stuff.) We simply want to get our content (MPEG video) to our users's desktops. Simple Downloads.

You should prolly keep the files bellow the document root, and use the PHP script to open the file, and read the contents, then force the download prompt and echo the file contents then..

That way if the script would be compromised its impossible to link to the files since they aren't technicly being served by the web server..

hrm

Originally posted by The Prohacker
You should prolly keep the files bellow the document root, and use the PHP script to open the file, and read the contents, then force the download prompt and echo the file contents then..

That way if the script would be compromised its impossible to link to the files since they aren't technicly being served by the web server..

That is exactly what was done. The problem is not with linking to the files. The problem is users want to be able to use "download accelerators" and "Get Right" software applications to download or actually ensure their download happens. That is not possible with a PHP download script as it pulls a .php file when they enter a link into it. Since this PHP solution is not reliable for huge files ~30-40MB. I need to find a solution that forces a download while at the same time, is resumable and dialup user friendly. There are a specific group of hackers who, since we have switched formats from straight links (streaming/downloading) have repeatedly found ways to attack the server with either horrid mail-spam raids over forged IP addresses mentioning their anger about PHP or any new exploits that are out there. I understand their frustrations. I was a dialup user once and remember how horrible it was downloading a video for 6 hours only to have your connection drop midway and loose the whole thing. I want to somehow please these users (which are a bulk majority) and at the saame time FORCE them to download the files they are trying to get.

Why don't yuo want your users to be able to view the file as it's downloading? Why do they have to download the file?

Originally posted by xerocity.com
Why don't yuo want your users to be able to view the file as it's downloading? Why do they have to download the file?

That's not really the issue. It's bandwith usage and server strain. Users on high speed connections when encountered with an open file link for an MPEG like these will watch them (from the server) and then after their temporary internet files get deleted, watch it again (downloading the stream a second time, or a third time, or a 20th time!)

We used to do it that way and found it wastes much less bandwith when users download the files instead of viewing them from your website repeatedly

Actually, as far as I can tell -- download managers use the Range header when they request files to be resumed.

The PHP script, ideally, should only contain a Content-type header(), a Content-length header() call and a call to readfile().

As far as my testing sessions showed, that method appears to work. Apache/2.0.43 with PHP from CVS.

An example can be found at http://me.mark.org.il/misc/resume.txt

Originally posted by MarkIL
Actually, as far as I can tell -- download managers use the Range header when they request files to be resumed.

The PHP script, ideally, should only contain a Content-type header(), a Content-length header() call and a call to readfile().

As far as my testing sessions showed, that method appears to work. Apache/2.0.43 with PHP from CVS.

An example can be found at http://me.mark.org.il/misc/resume.txt


What we are looking for is going more in the non-scripting direction

Has anyone encountered a product out there that can be installed on the server and then used by the users as a "resumable download tunnel"?

Or is there a way NOT using php, to not allow streaming/opening of a file until it's downloaded or delivered to their computer?

maybe some way to force them to use a download manager like Get-it Right

Originally posted by LMS MIS


[...]
That is not possible with a PHP download script as it pulls a .php file when they enter a link into it.
[...]
I need to find a solution that forces a download while at the same time, is resumable and dialup user friendly.



My example fits all of the above requirements -- what makes you think that it's not?

Mark...

Your example is nice, but just incase someone might use it, you should prolly put some checking in there to make sure they won't try to go up the file directories...

dl.php?../config.php

Could cause a few problems :D

Originally posted by The Prohacker
Mark...

Your example is nice, but just incase someone might use it, you should prolly put some checking in there to make sure they won't try to go up the file directories...

dl.php?../config.php

Could cause a few problems :D

That's just a demonstration - /local isnt accessible from the outside.

I know.. But someone might just use your code in a production enviroment :D

Then they deserve whatever they get -- using code from a random forum on your mission-critical server isn't a Good Idea(tm).

Originally posted by MarkIL
Then they deserve whatever they get -- using code from a random forum on your mission-critical server isn't a Good Idea(tm).

hehe

to force a download box you should use content disposition header.


We had a big discussion about this a while back

http://www.webhostingtalk.com/showthread.php?s=&threadid=70867

The code I included in this discussion is in PHP, but I do also have a VBScript ASP version.