| User | Post |
Parasyte
Posts: 43/514 |
Yes. But then people using those browsers will have no trouble leeching from off-site. ;P Unless the script were changed to check if the user's IP address had been to the download page within the last ~5 minutes. Something of that sort would work nicely.
In fact, that's exactly how I had set up DES' "Emulation Forum" when we had user-uploadable files for download. If the user's IP address wasn't in the access log from the last 5 minutes, it would redirect the browser to the post containing the file. It was a very good system, and worked no matter which browser (or referrer settings) the user had. |
Cellar Dweller
Posts: 64/269 |
Please treat missing HTTP_REFERERs as matching the list of permitted referring sites. I've had problems with anti-leech scripts when using some browsers. |
ErkDog
Posts: 593/982 |
you can also check the referrer with .htaccess files and Access Denied anything not coming from the 1st site...
which would bounce any direct requests or foreign referrers |
Stifu
Posts: 73/304 |
Yes, thank you ! 
My 2nd account is down at the moment so I can't try it yet, but I think I understood everything... Should work fine.
Thanks for all of your help, I appreciate a lot. |
Parasyte
Posts: 39/514 |
Originally posted by Stifu
Both PHP files need to be on the server with the zip files, not on the server with the HTML files, right ? Just making sure...
That is correct.
Originally posted by Stifu
Last question, does putting "stifu.free.fr" in the $allowed line also affects sub folders of the stifu.free.fr address ? Because the concerned HTML files aren't at the root...
The $allowed line is checking where the browser is coming from -- not where it is.
So if you link to the file from *stifu.free.fr* (where the asterisks represent ANY text) then it will work. Unfortunately, this also means that any site linking to download.php with a directory named "stifu.free.fr" will be able to download files. This can be avoided by using "http://stifu.free.fr/" in the $allowed line. That should be fine for you, since I don't think anyone will be able to use anything like 'www.stifu.free.fr' to access the site, anyway.
As an example, say you have a link on your site (http://stifu.free.fr/downloads/index.html) pointing to "http://www.yoursite.com/download.php?file=filename.zip" ... When the script at yoursite.com checks where the browser came from, it will check for "http://stifu.free.fr/" in the referrer. The referrer would be "http://stifu.free.fr/downloads/index.html" which does contain the $allowed string. If http://www.lamersite.com/ was linking to the script though, the script would not be able to find "http://stifu.free.fr/" in the referrer, so it would give the error message. Makes sense? |
Stifu
Posts: 71/304 |
Both PHP files need to be on the server with the zip files, not on the server with the HTML files, right ? Just making sure...
Last question, does putting "stifu.free.fr" in the $allowed line also affects sub folders of the stifu.free.fr address ? Because the concerned HTML files aren't at the root...
Sorry if it sounds like I'm being lazy to ask all of this instead of just testing and trying myself, but I think my 2nd server isn't working quite right now, so I can't check properly at the moment... Or maybe this account is too restricted... I'll find out.
Alright... I think I'm almost there now. 
Thanks. |
Parasyte
Posts: 37/514 |
You need to place download.php on the same server with the files that it accesses. Also, the "$downloadpath" variable should be set to the absolute path. Thought you may be able to get away with using a relative path, like "./download/"
If you cannot run php scripts from that server, you will have to use browser redirection instead of the header/fread calls.
To relocate to the actual files:
header("Location: http://site.with.files.com/path/to/".$file);
Finally, you should use "stifu.free.fr" in the $allowed line. You generally won't want to include http:// or www, because many users visit a site like "yahoo.com" rather than "www.yahoo.com" and the script notices the difference between the two. If you were to remove the 'www.', then it would work properly in either situation. |
Stifu
Posts: 70/304 |
Jizuko: I already tried before... And the link you provided only work for image files... Not zip files.
Parasyte: Thanks again... The new version seems more convenient to manage and all.
However I still can't get it to work. I get the error page from my site as if I was direct linking...
I guess the error may be coming from this line:
$allowed = strstr(getenv("HTTP_REFERER"), "yoursite.com");
I've tried putting "stifu.free.fr" or "http://stifu.free.fr" (the address to the site where the download links are, but not where the zip files are stored...) instead of yoursite.com... With no success.
I'm redirected to the error page no matter what. |
Parasyte
Posts: 36/514 |
Sorry, the script contains old code that did not get removed. I've re-uploaded it, and tested this time. Download from here: http://parasyte.panicus.org/projects/download.html |
Jizuko
Posts: 371/1191 |
I would recommend using htaccess to disable hotlinking. You can easily disable several folders or specific images with this or even create accounts for people so some can see it and others can't. Same with password protecting a dir or a specific file. |
Stifu
Posts: 69/304 |
Thank you !
Doesn't sound too complicated... Although I'm still having problems.
---
?php
require "mimetypes.php";
$allowed = strstr(getenv("HTTP_REFERER"), "yoursite.com");
if (($file) && ($allowed)) {
$mimetype = $mimes[substr(strrchr($file[name],"."),1)];
if (!$mimetype) showError();
header("Content-disposition: filename=\"/path/to/".$file."\"");
header("Content-type: ".$mimetype);
header("Content-length: ".filesize("/path/to/".$file."\"));
$fp = fopen($file[path],"r");
while (!feof($fp)) $content .= fread($fp,1024);
fclose($fp);
echo $content;
updateCounter();
}
else showError();
function showError() {
header("Location: /path/to/404.html");
}
?>
---
I'm not sure what to change in the file apart from the stuff I put in red (well, more like pink...). What else must I change ?
The [name] and [path] thing maybe ? Not sure what to put there.
And am I supposed to change anything in mimetypes ? Looks like a weird file. 
Thanks. |
Parasyte
Posts: 33/514 |
Use a PHP or CGI script, rather than directly linking to the files. The script can check the 'referer' address to see which site the browser is coming from. Then the script can either redirect the browser (not recommended) or it can send the file data directly through the script. (Recommended! Gives more control, and doesn't allow the browser to ever see the actual file location.)
Here's a sample script which you can use and modify to suit your needs: http://parasyte.panicus.org/projects/download-script.zip
Link to it using something like: download.php?file=filename.zip
Then the user will be able to download "filename.zip" if he is allowed, else he will get a 404 message. |
Stifu
Posts: 68/304 |
Hey hey.
Here's the deal... I want to restrict one folder of some site to prevent direct linking.
Example: I got 2 FTP accounts.
1 with the site and all the pages, another one with zip files that are to be downloaded.
I want to make it so people can only download the files from the second site if they are trying to get them while clicking a link that is on the first site.
If the link is on any another site, it should not work.
I've already looked around on the net, and only found stuff about how to protect image files, or how to protect sites from certain IP or provider addresses...
But what I want is to protect zip files from getting downloaded if you're not in the right place.
Anyone can help ? |
