0

I have simple download script (used for Wordpress file downloads

if($filesize) {
        header('Content-Type: application/octet-stream');
        header("Content-Transfer-Encoding: Binary"); 
        header("Content-disposition: attachment; filename=\"" . basename($file_url) . "\""); 
        readfile($file_url);
    } else {    
        echo '<p>No file found</p>';
    }

I want to prevent users from accessing download files by direct access to them, so if user types in the path in browser, file should not be accesible.

I've tried this with .htaccess but without results. It was blocking the file directly but also script won't download the file.

Any help?

Thanks!

Improve this question
3
  • $_SERVER['HTTP_USER_AGENT'] can help Commented Mar 15, 2017 at 11:24
  • Just store the files to be accessed in a directory that's not accessible via the HTTP server you're running. Commented Mar 15, 2017 at 11:48
  • Thats quite not possible in this case, I store everything in one folder (protected files and not protected) Commented Mar 15, 2017 at 12:34

3 Answers 3

Reset to default
2

If the files are on the same box as the PHP script, move them out of the webserver directory so the script can access them but users can not.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

download.php script is in different location than files which are meant to be downloaded, different folders.
0

i will assume that User need to click certain button to get the file ,means a post method ,and if not from post you show theme an error message,

if($_SERVER['REQUEST_METHOD'] != 'POST'){
   echo 'Error: You cannot access this link Directly';
}

im also assuming you have your files on separate Folder where you can create new .htaccess file with the following rules:

Order Deny,Allow
Deny from all
Improve this answer

5 Comments

No, user click link which leads to download.php?file_id=66, then download.php serves the file to download. But if somehow user figures out from which folder it came from, it still can be accessed with direct link in browser.
you used .htaccess file?
Yeah I've tried Order Deny,Allow Deny from all But this also prevented Wordpress from accessing the files, also files with my script were downloaded but the files were empty...
ok , if ur files are in one folder , create new htaccess with following rules : Order Deny,Allow Deny from all
Yeah I did that, but as I've mentioned above this caused problems with accessing the files with the script too
0

to solve this issue what you can do is you can keep the script file out of folder where download files and .htaccess files are located.

By doing so users cant access download file directly if user types in the path in browser, file will not be downloaded. they can only access files via script.

hope it makes sense.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.