Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    New Coder
    Join Date
    May 2008
    Location
    Michigan
    Posts
    66
    Thanks
    7
    Thanked 0 Times in 0 Posts

    Help Protecting Media Files Without Denying Access Completely

    I have a situation where I have a ZIP file on my server. This ZIP file should be accessible via a link:

    Code:
    <a href="http://www.mydomain.com/path/to/file.zip">link</a>
    ...but not directly, via typing the location in the browser's address bar.

    1. Is this possible?

    2. If so, can somebody point me to where I might find information on how to do such a thing?

    Any help would be very much appreciated!

    +dharvell

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Sounds like you want to prevent hotlinking.

    http://www.lancelhoff.com/how-to-pre...ndwidth-theft/
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    New Coder
    Join Date
    May 2008
    Location
    Michigan
    Posts
    66
    Thanks
    7
    Thanked 0 Times in 0 Posts
    This looks like the EXACT thing I need. Thanks for the speedy reply!

    EDIT:
    I did as the directions prompted, but that didn't do quite what I wanted it to. I can still type the location of the file in the address bar and start the download. I want to prevent that. I want the file to download ONLY if the link on my page was clicked. Any updates as to how to accomplish this? Thanks, again.

    +dharvell
    Last edited by dharvell; 04-29-2009 at 02:55 AM.

  • #4
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Change this line
    Code:
    RewriteRule \.(jpg|jpeg|png|gif|zip|rar)$ /nolink.png [R,L]
    to this
    Code:
    RewriteRule \.(jpg|jpeg|png|gif|zip|rar)$ - [F,NC]
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #5
    New Coder
    Join Date
    May 2008
    Location
    Michigan
    Posts
    66
    Thanks
    7
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by _Aerospace_Eng_ View Post
    Change this line
    Code:
    RewriteRule \.(jpg|jpeg|png|gif|zip|rar)$ /nolink.png [R,L]
    to this
    Code:
    RewriteRule \.(jpg|jpeg|png|gif|zip|rar)$ - [F,NC]
    Thank you for the continued effort. Sadly, this didn't work, either. I am still able to directly reach the file by typing it in the address bar. If you have any additional ideas on this, I would love to try them (as I know roughly squat about .htaccess files)!

    Thanks, again!

    +dharvell

  • #6
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,149
    Thanks
    2
    Thanked 333 Times in 325 Posts
    As long as the URL of the file will cause that file to be severed by the server, it does not matter how that http request is produced (link on a page, browser address bar, bot script, request relayed through a web proxy server...) A http request is a http request. HTTP_REFERER can also be set to anything at any time, so bot scripts and web proxy scripts can set it to your domain so that any request for a URL can look like it came from someone already viewing pages on your site.

    What exactly are you trying to accomplish? Does someone need to fill out a form or be a logged in member on your site before the file should be served by the web server? Edit: Stop hot linking by other sites putting a URL to your file on their pages?
    Last edited by CFMaBiSmAd; 04-29-2009 at 03:20 PM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #7
    New Coder
    Join Date
    May 2008
    Location
    Michigan
    Posts
    66
    Thanks
    7
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    As long as the URL of the file will cause that file to be severed by the server, it does not matter how that http request is produced (link on a page, browser address bar, bot script, request relayed through a web proxy server...) A http request is a http request. HTTP_REFERER can also be set to anything at any time, so bot scripts and web proxy scripts can set it to your domain so that any request for a URL can look like it came from someone already viewing pages on your site.

    What exactly are you trying to accomplish? Does someone need to fill out a form or be a logged in member on your site before the file should be served by the web server? Edit: Stop hot linking by other sites putting a URL to your file on their pages?
    What I am trying to accomplish is mentioned in the original post, but in case I didn't describe it that good, I'll try to describe it another way.

    I have a ZIP file. We'll call it coolFile.zip. I do NOT want people accessing coolFile.zip by entering the path in the address bar:

    http://www.mydomain.com/path/to/coolFile.zip

    The one and only way I DO want the file accessed is through a payment process. When payment is completed, a page displays a link:

    Code:
    <a href="http://www.mydomain.com/path/to/coolFile.zip">here is your file</a>
    I'm sure this is possible, as you run into a similar situation all the time. I just don't have the know-how to do this without a little guidance... or a lot of guidance, as it may be... heh heh heh

    If you need more info, let me know and I'll do my best to get you what you need!

    +dharvell

  • #8
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,149
    Thanks
    2
    Thanked 333 Times in 325 Posts
    You need to dynamically output the file using a server side script (PHP for example) that only outputs the file when the conditions that you require have been met. The actual folder where the .zip files are kept is either outside of your document root folder or it contains a .htaccess file that prevents all http access to the files. Only the server side script has access to read the .zip files.

    The URL (link or otherwise) would look like -

    http://yourdomain.com/download.php?coolFile.zip

    Edit: The above URL is not correct (unless you were doing some URL manipulation) The actual URL would be something like http://yourdomain.com/download.php?file=coolFile.zip


    The php code in download.php (or whatever name or server-side script you end up using) would check that that payment process for the current visitor/member has been completed. If it has been completed, the actual .zip file is output along with the necessary content type headers. If the payment process has not been completed, an appropriate message is output instead.
    Last edited by CFMaBiSmAd; 04-29-2009 at 05:55 PM. Reason: fixed URL example
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #9
    New Coder
    Join Date
    May 2008
    Location
    Michigan
    Posts
    66
    Thanks
    7
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    You need to dynamically output the file using a server side script (PHP for example) that only outputs the file when the conditions that you require have been met. The actual folder where the .zip files are kept is either outside of your document root folder or it contains a .htaccess file that prevents all http access to the files. Only the server side script has access to read the .zip files.

    The URL (link or otherwise) would look like -

    http://yourdomain.com/download.php?coolFile.zip

    The php code in download.php (or whatever name or server-side script you end up using) would check that that payment process for the current visitor/member has been completed. If it has been completed, the actual .zip file is output along with the necessary content type headers. If the payment process has not been completed, an appropriate message is output instead.
    I'm sure your answer is the key to what I need. I just wish I understood 95% of what you just said!

    I am moderately experienced in PHP, so coming up with a script should not be too hard. But as for .htaccess files and sending "necessary headers", I am completely lost at this point...

  • #10
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,149
    Thanks
    2
    Thanked 333 Times in 325 Posts
    To prevent all http requests to files in a folder, put a .htaccess file in that folder with the following line in it (assumes Apache web server) -

    Code:
    deny from all
    Content headers and force download (download dialog box) - http://apptools.com/phptools/force-download.php
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #11
    New Coder
    Join Date
    May 2008
    Location
    Michigan
    Posts
    66
    Thanks
    7
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    To prevent all http requests to files in a folder, put a .htaccess file in that folder with the following line in it (assumes Apache web server) -

    Code:
    deny from all
    Content headers and force download (download dialog box) - http://apptools.com/phptools/force-download.php
    Cool! Thanks for the pointers!

    +dharvell

  • #12
    Regular Coder ajhauser's Avatar
    Join Date
    Nov 2007
    Location
    Earlville. It's where Earls come from.
    Posts
    226
    Thanks
    74
    Thanked 1 Time in 1 Post
    To add to this question: if you used "deny from all" in several .htaccess files, with one in every folder of your site - would it prevent the site from loading altogether?

    If there is a .html (or other extention) page in a folder with "deny from all" in an .htaccess file, and a link points to it, will it tell the browser that the file cannot be found?

    I think that is the point here, I just wanted to clarify myself.
    Thanks, and very useful post!

  • #13
    New to the CF scene
    Join Date
    Jun 2009
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by ajhauser View Post
    To add to this question: if you used "deny from all" in several .htaccess files, with one in every folder of your site - would it prevent the site from loading altogether?

    If there is a .html (or other extention) page in a folder with "deny from all" in an .htaccess file, and a link points to it, will it tell the browser that the file cannot be found?
    If you put one in every folder it would prevent the site from loading. Or if this was your intention, you could put the file in the root folder, and all below it would take on the characteristics of that .htaccess file.

    If you access a file in a directory that has deny from all you will recieve the message :

    Forbidden
    You don't have permission to access /this/directory on this server.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •