I am working on a small script for downloads (not yet functional) and I need to know how I could go about hiding the URL's for downloads in directory X.

Example of what is needed:

http://www.site.com/download.php?id=10

I want to hide the fact that the location is site.com/x/download10.zip so they cannot hotlink the files or download them without the proper permission.

The script will check whether they are a member or not, but hotlinking is still a problem and knowing that I am not the best with PHP, this is a big problem for me at this time.

I would appreciate any help with this, I am not asking anyone to do this form me, a simple tutorial would help to say the least :) (although I am not stopping you from telling me how to do it :)).

Thanks ahead of time,

You might check out here:
http://www.hotscripts.com/PHP/Scripts_and_Programs/File_Manipulation/Download_Systems/

I knew that was coming, in a way :D

I have looked over some and as I said, I am not as good as most coders are with PHP, nor is my coding the neatest, it is basically used for myself and no-one else.

With that said, I would not know what would be covering the URL's within those scripts nor where to start.

I dont know how you can really hide the URL. But setting it to do downloads.php?id=10 is the best way. When they start the download it shouldn't show the full path.

There is a way to hide the final url.

Basically id=10 relates to a file on the server (assuming it's on your server not remotely).

Then open this file and read the contents.

Then echo the header as that file type and then echo the contents.

In essence id=10 actually becomes the file.

Viperhost:

I'm a CF programmer and I can accomplish that in CF, but don't know enough about PHP to give you a straight answer. But here's one possible idea...

What if you have one source copy of the download file in a hidden directory. When the user clicks a download link, you then copy the file to the download area BUT rename the file some some random file name.zip ?

Not a bad idea, I appreciate the advice and suggestions, I will look further in to it and see what I can accomplish. I am not the best with PHP but some people have been willing to place a little time in to this to help me out.

Once again, thanks for the help :).

Rich2k's suggestion is a good one. Here's a general idea of how to do it:
$h = "Content-Disposition: attachment; filename=\"$filename\"";
header($h);
header("Content-Type: $t");
readfile($path);
... where $filename is (you guessed it) the filename, $t is the application type, eg. "video/mpeg" and $path is the path to the file on your server.

Only be warned it does actually put an extra load on your server... albeit not too much.

I wouldn't recommend it to load every jpg in the template of your website for instance... but for downloading a few documents, exe's etc it's great.

As what I tend to do is have exe's or PDFs inside password protected areas and instead of putting the files into a db to protect them I move them out of the document root and then use a PHP script to determine privileges and output the file.

I would suggest just emailing the file to your customer, through a automated emailer.

It would place it in a email, and send it as an attement attached to the email.

Simplist way, by a long run.

Hope this helps!

Agreed, if you really want to hide stuff, email it to them, though many are not too fond of giving out email addresses to download a product, let alone to receive one by email.

You can make it so, that when the customer purchases the e-product, that they are required to enter an email address (Maybe you already have that).

When they click next, it will pass the info on to the file mailer.

Just a suggestion!:D

E-mailing is not a good solution. Many e-mail accounts, or people who use e-mail at work, are faced with a limit on the size of an attachment. One of my clients limits the size of an attachment to 1 MB. Anything more is rejected as too large.

Mailing would not really be an issue, all of the files are below 500k, although for those on slower modems that is still going to take a little bit to get (in some cases, it will freeze up outlook as well, pending that is what they are using). I prefer to use the download method, although I have yet to get anything actually working.

<?php
//
// download.php for ACR File Manager
//

//Connect to DB
include("functions.php");
if (!db_connect())
{
echo "Error: Could not connect to database. Please Contact Admin";
exit;
}
//Find File in DB with ID, check for status so they can't type URL into address bar.
$result = mysql_query("select * from files WHERE id='$id' AND status='0'");
$row = mysql_fetch_array($result);

if(mysql_num_rows($result)==0)
{
echo "Error: Could not find file in database. Please Contact Admin";
exit;
}
//Get URL and add 1 to download count
$file = stripslashes($row['url']);
$downloads = $row['downloads']+1;

//Update download count
$query = "update files set downloads='".$downloads."' where id='".$id."'";
$result = mysql_query($query);

//Direct to file URL for download
header("Location: " . $file );

//Show message incase window dosen't close
echo "You may close this window.";
exit;
?>


The PHP script I use. You will have to change it to fit your needs though.