How do the download scripts work?

unknowngiver · 03-30-2007, 04:26 PM

Hey
I cant figure out something
how does a non database [flat file] download script work?
i know how you will be able to upload a file to a directory..but now how do you restrict only registered people to download that file!
if it was a php file..then in the php file..you could use sessions..but if a user uploads abc.zip under "uploads" its basically available to anyone who goes to domain.com/uploads/abc.zip ..my question is..how do you restrict only registered users to be able to download that!
Thanks

snike · 03-30-2007, 04:56 PM

i wouldn't show the user where the file was uploaded so the URL would be something like http://www.site.com/file.php?id=4824jdf82894hc828fh28 or something. And have the file renamed from abc.zip to 28427427abc.zip just to make things safer. Also, I believe there is a way to have a file downloaded instead of it being ran on the server, for example an image file. I'll tell you when I'v found something.

unknowngiver · 03-30-2007, 05:50 PM

well its for Vbulletin.i couldnt find a Mod for it..and the files are too big to be uploaded through the Vbulletin Attachment system [it saves it in the database]

Peter · 03-31-2007, 03:17 AM

I am not familiar with Vbulletin's attachment system but what makes you say it does not use a database? Vbulletin is very database heavy and I would think it definitely uses a database for the download.

If however you are making 1 and 100% do not want people to download files that are not allowed too you could do something like the following:-

Upload files to a non www based folder.
????: NamePros.com http://www.namepros.com/programming/311178-how-do-the-download-scripts-work.html
If you want the files to look like they are downloading from a particular folder create a folder and put a htaccess file in it using a redirect rule (more with that in a sec)
Put a php script in the file that checks if the person is a registered user (very easy to do, just use Vbulletin's own global php file)
In the check to see if the user is registered and if they are check the file exists in your download folder.
Check extension of the file and output correct headers.
Use file_get_contents or a similar method to echo the content out to the client.

Now regarding the htaccess file.

If for example you want your downloads to look like:-

http://www.mydomain.com/download/file.ext

make a folder in your root directory called download.
Create a .htaccess file that rewrites the address to http://www.mydomain.com/download/scr...?file=file.ext (in the php file ensure of course that only allowed chars are in the file name to ensure that people cannot traverse your server and download anything they want).

maximum · 03-31-2007, 12:50 PM

As Peter suggested, move downloads to a directory outside root (non browser accessable directly).

PHP Code:

  <?

if(!isset($_COOKIE['bbuserid']) || !isset($_COOKIE['bbpassword'])){

die("You are not logged in!"); }

if($_GET['file'] == ""){

die("No file specified."); }

if(!isset($_GET['file'])){

die("No file specified."); }

$filename = $_GET['file'];

if(!file_exists("/path/to/hidden/files/".$filename)) {

die("The requested file could not be found"); }

readfile("/path/to/hidden/files/$filename");

exit();

?>

Not exactly the most secure (call me an amateur

), and requires cookies enabled (I haven't looked into sessions for vBulletin). But the login cookies for it are those (bbuserid & bbpassword). You could also check into comparing those values with the database of users, incase browser doesn't have cookies turned on (ie: sessions being used). Something to consider, also, is the file formats, and how they may be treated (ie: normally displayed like text files, versus forced downloads for textfiles). For more info on that, see PHP.net's header() manual.

tm · 03-31-2007, 12:58 PM

Look into headers on the php manual.
http://uk2.php.net/manual/en/function.header.php
Specifically

PHP Code:

  <?php

// We'll be outputting a PDF

header('Content-type: application/pdf');

????: NamePros.com http://www.namepros.com/showthread.php?t=311178
 
// It will be called downloaded.pdf

header('Content-Disposition: attachment; filename="downloaded.pdf"');

 
// The PDF source is in original.pdf

readfile('original.pdf');

?>

Peter · 03-31-2007, 01:50 PM

The following will work. All you have to do to change it is change $download_folder to the server path to your download folder (with a trailling slash) and change the path in the chdir line to the server root path of your forum.

Also you will see comments at the bottom where you will have to output the header and also where you output the content of the file. If the file is large as you have already stated then increase your script maximum execution time using a line similar to the following (changing the 300 to the number of seconds you want it to run for):-

PHP Code:

  ini_set("max_execution_time", "300") 

????: NamePros.com http://www.namepros.com/showthread.php?t=311178

Also remember to delete the line i put that outputs the path of the download file i put that there to ensure all was ok.

PHP Code:

  <?php

$download_folder = '';

chdir('/path/to/your/forum/root/');

 
error_reporting(E_ALL & ~E_NOTICE);

 
define('THIS_SCRIPT', 'download');

 
$phrasegroups = array();

 
$specialtemplates = array();

 
$globaltemplates = array();

 
$actiontemplates = array();

 
require_once('./global.php');

if ($vbulletin->userinfo['userid'] === 0)

{

 echo 'Please log in before downloading files.';

 exit();

}

if ($_GET['file'] && preg_match('/^[_.A-Za-z0-9]+$/', $_GET['file']) && is_file($download_folder.$_GET['file']))

????: NamePros.com http://www.namepros.com/showthread.php?t=311178
{

    // Output headers

    // output content of file

    echo 'file is '.$download_folder.$_GET['file'];

}

else 

{

    echo 'Invalid link followed.';

}

?>

unknowngiver · 04-20-2007, 07:05 PM

hey guys
great so far it works

but i cant seem to get the header thing to work...how do i make it so that ANY file can be downloaded [like in the php manual..they specify that its a PDF] ?
i know that mostly i will be uploading .ZIP and .RAR files

also..second question..how do i make it that it uses the Vbulletin theme and stuff..so that it looks like a part of vbulletin forum...like on namepros...u have the domain management which is embeded in vbulletin

Eric · 04-20-2007, 07:25 PM

Originally Posted by unknowngiver

hey guys
great so far it works

but i cant seem to get the header thing to work...how do i make it so that ANY file can be downloaded [like in the php manual..they specify that its a PDF] ?
i know that mostly i will be uploading .ZIP and .RAR files

also..second question..how do i make it that it uses the Vbulletin theme and stuff..so that it looks like a part of vbulletin forum...like on namepros...u have the domain management which is embeded in vbulletin

what vBulletin version are you using?
????: NamePros.com http://www.namepros.com/showthread.php?t=311178

For 3.5.x or 3.6.x something like:

PHP Code:

  <?php

 
// ####################### SET PHP ENVIRONMENT ###########################

error_reporting(E_ALL & ~E_NOTICE);

// uncomment if outside your forum root

//chdir('/path/to/your/forum/root/');

 
// #################### DEFINE IMPORTANT CONSTANTS #######################

define('THIS_SCRIPT', 'download');

define('DL_FOLDER', '');

 
// ################### PRE-CACHE TEMPLATES AND DATA ######################

// get special phrase groups

$phrasegroups = array();

 
// get special data templates from the datastore

$specialtemplates = array();

 
// pre-cache templates used by all actions

$globaltemplates = array();

 
// pre-cache templates used by specific actions

$actiontemplates = array();

 
// ######################### REQUIRE BACK-END ############################

require_once('./global.php');

 
if ($vbulletin->userinfo['userid'] == 0 OR !($permissions['forumpermissions'] & $vbulletin->bf_ugp_forumpermissions['canview']))

{

    print_no_permission();

}

 
// #######################################################################

// ######################## START MAIN SCRIPT ############################

// #######################################################################

if (isset($_GET['file']) AND preg_match('#^[_.a-z0-9]+$#i', $_GET['file']) AND is_file(DL_FOLDER . $_GET['file']))

{

    // determine file type, and output appropriate headers & file content

}

else

{

    eval(print_standard_redirect('Invalid download link specified', false));

}

 
//

$navbits = construct_navbits(array('' => 'Download'));

eval('$navbar = "' . fetch_template('navbar') . '";');

eval('print_output("' . fetch_template('yourdltemplate') . '");');

????: NamePros.com http://www.namepros.com/showthread.php?t=311178
 
?>

replace 'yourdltemplate', with the var_name of the template you make for the download page.

Jim_ · 04-20-2007, 09:32 PM

Just use a generic mime type like 'application/octet-stream' for everything.

unknowngiver · 04-21-2007, 03:24 PM

Originally Posted by SecondVersion

what vBulletin version are you using?

For 3.5.x or 3.6.x something like:

PHP Code:

  <?php

 
// ####################### SET PHP ENVIRONMENT ###########################

error_reporting(E_ALL & ~E_NOTICE);

????: NamePros.com http://www.namepros.com/showthread.php?t=311178
// uncomment if outside your forum root

//chdir('/path/to/your/forum/root/');

 
// #################### DEFINE IMPORTANT CONSTANTS #######################

define('THIS_SCRIPT', 'download');

define('DL_FOLDER', '');

 
// ################### PRE-CACHE TEMPLATES AND DATA ######################

// get special phrase groups

$phrasegroups = array();

 
// get special data templates from the datastore

$specialtemplates = array();

 
// pre-cache templates used by all actions

$globaltemplates = array();

 
// pre-cache templates used by specific actions

$actiontemplates = array();

 
// ######################### REQUIRE BACK-END ############################

require_once('./global.php');

 
if ($vbulletin->userinfo['userid'] == 0 OR !($permissions['forumpermissions'] & $vbulletin->bf_ugp_forumpermissions['canview']))

{

    print_no_permission();

}

 
// #######################################################################

// ######################## START MAIN SCRIPT ############################

// #######################################################################

if (isset($_GET['file']) AND preg_match('#^[_.a-z0-9]+$#i', $_GET['file']) AND is_file(DL_FOLDER . $_GET['file']))

????: NamePros.com http://www.namepros.com/showthread.php?t=311178
{

    // determine file type, and output appropriate headers & file content

}

else

{

    eval(print_standard_redirect('Invalid download link specified', false));

}

 
//

$navbits = construct_navbits(array('' => 'Download'));

eval('$navbar = "' . fetch_template('navbar') . '";');

eval('print_output("' . fetch_template('yourdltemplate') . '");');

 
?>

replace 'yourdltemplate', with the var_name of the template you make for the download page.

and what do i put in the new template :S

unknowngiver · 04-21-2007, 06:41 PM

hey
looking at the vbadvanced portal i made this:

PHP Code:

  $stylevar[htmldoctype]

<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">

<head>

<title>$vboptions[hometitle] <if condition="$pagetitle">- $pagetitle</if></title>

 
$headinclude

 
<if condition="$show['inlinemod']"><script type="text/javascript" src="clientscript/vbulletin_inlinemod.js"></script></if>

????: NamePros.com http://www.namepros.com/showthread.php?t=311178
 
</head>

<body>

 
$header

 
$navbar

 
 
<table align="center" class="page" cellspacing="0" cellpadding="0" width="100%">

<tr valign="top">

 
<if condition="$show['left_column']">

 
<td width="$vba_style[portal_leftcolwidth]">

 
$home[leftblocks]

 
</td>

 
<!-- Spacer Cell -->

<td width="$vba_style[portal_colspacing]"><img alt="" src="$vboptions[bburl]/$vboptions[cleargifurl]" width="$vba_style[portal_colspacing]" /></td>

<!-- / Spacer Cell -->

 
</if>

 
 
 
<td valign="top">

 
DOWNLOAD WILL BE HERE

 
</td>

</if>

 
 
<if condition="$show['right_column']">

 
<!-- Spacer Cell -->

<td width="$vba_style[portal_colspacing]"><img alt="" src="$vboptions[bburl]/$vboptions[cleargifurl]" width="$vba_style[portal_colspacing]" /></td>

????: NamePros.com http://www.namepros.com/showthread.php?t=311178
<!-- / Spacer Cell -->

 
<td valign="top" width="$vba_style[portal_rightcolwidth]">

 
$home[rightblocks]

 
</td>

</if>

 
</tr>

</table>

 
$footer

 
</body>

</html>

but now how do i add the download thing in there? Since templates cant hold PHP code

p.s: yes now i have 3.6

tm · 04-22-2007, 05:19 AM

Link to another page that has php...

unknowngiver · 04-22-2007, 01:17 PM

hm? there is no other page..this is the page...download.php

unknowngiver · 04-24-2007, 09:39 AM

bump

Alex. · 04-25-2007, 04:56 PM

you save the first script into a folder, and the template into your template folder.
then make sure the link to the temp. at the bottom of the script is right, and by the sound of it you should be good to gm.
though i might be wrong, i know nothing about VB.

unknowngiver · 04-25-2007, 06:24 PM

the page works...but the program is...that the output from the php file is shown at the very top ...and the output in the template is shown where it should be...but i cant use php in the template

unknowngiver · 05-02-2007, 04:50 PM

bump

03-30-2007, 04:26 PM	THREAD STARTER #1 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	How do the download scripts work? Hey I cant figure out something how does a non database [flat file] download script work? i know how you will be able to upload a file to a directory..but now how do you restrict only registered people to download that file! if it was a php file..then in the php file..you could use sessions..but if a user uploads abc.zip under "uploads" its basically available to anyone who goes to domain.com/uploads/abc.zip ..my question is..how do you restrict only registered users to be able to download that! Thanks __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board

03-30-2007, 05:50 PM	THREAD STARTER #3 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	well its for Vbulletin.i couldnt find a Mod for it..and the files are too big to be uploaded through the Vbulletin Attachment system [it saves it in the database] __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board

03-31-2007, 12:50 PM	#5 (permalink)
maximum If only you knew... Join Date: Oct 2005 Location: Inside your head... Posts: 998	As Peter suggested, move downloads to a directory outside root (non browser accessable directly). PHP Code: `<? if(!isset($_COOKIE['bbuserid']) \|\| !isset($_COOKIE['bbpassword'])){ die("You are not logged in!"); } if($_GET['file'] == ""){ die("No file specified."); } if(!isset($_GET['file'])){ die("No file specified."); } $filename = $_GET['file']; if(!file_exists("/path/to/hidden/files/".$filename)) { die("The requested file could not be found"); } readfile("/path/to/hidden/files/$filename"); exit(); ?>` Not exactly the most secure (call me an amateur ), and requires cookies enabled (I haven't looked into sessions for vBulletin). But the login cookies for it are those (bbuserid & bbpassword). You could also check into comparing those values with the database of users, incase browser doesn't have cookies turned on (ie: sessions being used). Something to consider, also, is the file formats, and how they may be treated (ie: normally displayed like text files, versus forced downloads for textfiles). For more info on that, see PHP.net's header() manual. __________________ --- The greatest truths ever told, and the greatest lies ever told, all consist of exactly the same three words: "I LOVE YOU" --- The best say little, only say what is important.....then they shut up and sit down.

03-31-2007, 12:58 PM	#6 (permalink)
tm Senior Member Join Date: Nov 2005 Location: on a oil rig just off Ireland Posts: 1,408	Look into headers on the php manual. http://uk2.php.net/manual/en/function.header.php Specifically PHP Code: `<?php // We'll be outputting a PDF header('Content-type: application/pdf'); ????: NamePros.com http://www.namepros.com/showthread.php?t=311178 // It will be called downloaded.pdf header('Content-Disposition: attachment; filename="downloaded.pdf"'); // The PDF source is in original.pdf readfile('original.pdf'); ?>` __________________ You design in photoshop, I code into valid XHTML/CSS. Professional PSD, PNG or HTML to tableless XHTML/CSS designs. For more info, send me a PM.

03-31-2007, 01:50 PM	#7 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	The following will work. All you have to do to change it is change $download_folder to the server path to your download folder (with a trailling slash) and change the path in the chdir line to the server root path of your forum. Also you will see comments at the bottom where you will have to output the header and also where you output the content of the file. If the file is large as you have already stated then increase your script maximum execution time using a line similar to the following (changing the 300 to the number of seconds you want it to run for):- PHP Code: `ini_set("max_execution_time", "300") ????: NamePros.com http://www.namepros.com/showthread.php?t=311178` Also remember to delete the line i put that outputs the path of the download file i put that there to ensure all was ok. PHP Code: <?php $download_folder = ''; chdir('/path/to/your/forum/root/'); error_reporting(E_ALL & ~E_NOTICE); define('THIS_SCRIPT', 'download'); $phrasegroups = array(); $specialtemplates = array(); $globaltemplates = array(); $actiontemplates = array(); require_once('./global.php'); if ($vbulletin->userinfo['userid'] === 0) { echo 'Please log in before downloading files.'; exit(); } if ($_GET['file'] && preg_match('/^[_.A-Za-z0-9]+$/', $_GET['file']) && is_file($download_folder.$_GET['file'])) ????: NamePros.com http://www.namepros.com/showthread.php?t=311178 { // Output headers // output content of file echo 'file is '.$download_folder.$_GET['file']; } else { echo 'Invalid link followed.'; } ?>

03-30-2007, 04:56 PM	#2 (permalink)
snike NamePros Regular Join Date: Mar 2006 Location: USA Posts: 497	i wouldn't show the user where the file was uploaded so the URL would be something like http://www.site.com/file.php?id=4824jdf82894hc828fh28 or something. And have the file renamed from abc.zip to 28427427abc.zip just to make things safer. Also, I believe there is a way to have a file downloaded instead of it being ran on the server, for example an image file. I'll tell you when I'v found something.

03-31-2007, 03:17 AM	#4 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	I am not familiar with Vbulletin's attachment system but what makes you say it does not use a database? Vbulletin is very database heavy and I would think it definitely uses a database for the download. If however you are making 1 and 100% do not want people to download files that are not allowed too you could do something like the following:- Upload files to a non www based folder. ????: NamePros.com http://www.namepros.com/programming/311178-how-do-the-download-scripts-work.html If you want the files to look like they are downloading from a particular folder create a folder and put a htaccess file in it using a redirect rule (more with that in a sec) Put a php script in the file that checks if the person is a registered user (very easy to do, just use Vbulletin's own global php file) In the check to see if the user is registered and if they are check the file exists in your download folder. Check extension of the file and output correct headers. Use file_get_contents or a similar method to echo the content out to the client. Now regarding the htaccess file. If for example you want your downloads to look like:- http://www.mydomain.com/download/file.ext make a folder in your root directory called download. Create a .htaccess file that rewrites the address to http://www.mydomain.com/download/scr...?file=file.ext (in the php file ensure of course that only allowed chars are in the file name to ensure that people cannot traverse your server and download anything they want).

04-20-2007, 07:05 PM	THREAD STARTER #8 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	hey guys great so far it works but i cant seem to get the header thing to work...how do i make it so that ANY file can be downloaded [like in the php manual..they specify that its a PDF] ? i know that mostly i will be uploading .ZIP and .RAR files also..second question..how do i make it that it uses the Vbulletin theme and stuff..so that it looks like a part of vbulletin forum...like on namepros...u have the domain management which is embeded in vbulletin __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board

04-20-2007, 09:32 PM	#10 (permalink)
Jim_ NamePros Regular Join Date: Aug 2005 Location: NY, USA Posts: 610	Just use a generic mime type like 'application/octet-stream' for everything. __________________ ask me about the internet

04-21-2007, 06:41 PM	THREAD STARTER #12 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	hey looking at the vbadvanced portal i made this: PHP Code: $stylevar[htmldoctype] <html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]"> <head> <title>$vboptions[hometitle] <if condition="$pagetitle">- $pagetitle</if></title> $headinclude <if condition="$show['inlinemod']"><script type="text/javascript" src="clientscript/vbulletin_inlinemod.js"></script></if> ????: NamePros.com http://www.namepros.com/showthread.php?t=311178 </head> <body> $header $navbar <table align="center" class="page" cellspacing="0" cellpadding="0" width="100%"> <tr valign="top"> <if condition="$show['left_column']"> <td width="$vba_style[portal_leftcolwidth]"> $home[leftblocks] </td> <!-- Spacer Cell --> <td width="$vba_style[portal_colspacing]"><img alt="" src="$vboptions[bburl]/$vboptions[cleargifurl]" width="$vba_style[portal_colspacing]" /></td> <!-- / Spacer Cell --> </if> <td valign="top"> DOWNLOAD WILL BE HERE </td> </if> <if condition="$show['right_column']"> <!-- Spacer Cell --> <td width="$vba_style[portal_colspacing]"><img alt="" src="$vboptions[bburl]/$vboptions[cleargifurl]" width="$vba_style[portal_colspacing]" /></td> ????: NamePros.com http://www.namepros.com/showthread.php?t=311178 <!-- / Spacer Cell --> <td valign="top" width="$vba_style[portal_rightcolwidth]"> $home[rightblocks] </td> </if> </tr> </table> $footer </body> </html> but now how do i add the download thing in there? Since templates cant hold PHP code p.s: yes now i have 3.6 __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board

04-22-2007, 05:19 AM	#13 (permalink)
tm Senior Member Join Date: Nov 2005 Location: on a oil rig just off Ireland Posts: 1,408	Link to another page that has php... __________________ You design in photoshop, I code into valid XHTML/CSS. Professional PSD, PNG or HTML to tableless XHTML/CSS designs. For more info, send me a PM.

04-22-2007, 01:17 PM	THREAD STARTER #14 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	hm? there is no other page..this is the page...download.php __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board

04-24-2007, 09:39 AM	THREAD STARTER #15 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	bump __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board

04-25-2007, 04:56 PM	#16 (permalink)
Alex. Account Closed Join Date: Nov 2006 Location: Uk Posts: 601	you save the first script into a folder, and the template into your template folder. then make sure the link to the temp. at the bottom of the script is right, and by the sound of it you should be good to gm. though i might be wrong, i know nothing about VB.

04-25-2007, 06:24 PM	THREAD STARTER #17 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	the page works...but the program is...that the output from the php file is shown at the very top ...and the output in the template is shown where it should be...but i cant use php in the template __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

05-02-2007, 04:50 PM	THREAD STARTER #18 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	bump __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board