How do the download scripts work?

[unknowngiver]

Hey
I cant figure out something
how does a non database [flat file] download script work?
i know how you will be able to upload a file to a directory..but now how do you restrict only registered people to download that file!
if it was a php file..then in the php file..you could use sessions..but if a user uploads abc.zip under "uploads" its basically available to anyone who goes to domain.com/uploads/abc.zip ..my question is..how do you restrict only registered users to be able to download that!
Thanks

 

[snike]

i wouldn't show the user where the file was uploaded so the URL would be something like http://www.site.com/file.php?id=4824jdf82894hc828fh28 or something. And have the file renamed from abc.zip to 28427427abc.zip just to make things safer. Also, I believe there is a way to have a file downloaded instead of it being ran on the server, for example an image file. I'll tell you when I'v found something.

 

[unknowngiver]

well its for Vbulletin.i couldnt find a Mod for it..and the files are too big to be uploaded through the Vbulletin Attachment system [it saves it in the database]

 

[Peter]

I am not familiar with Vbulletin's attachment system but what makes you say it does not use a database? Vbulletin is very database heavy and I would think it definitely uses a database for the download.

If however you are making 1 and 100% do not want people to download files that are not allowed too you could do something like the following:-

Upload files to a non www based folder.
If you want the files to look like they are downloading from a particular folder create a folder and put a htaccess file in it using a redirect rule (more with that in a sec)
Put a php script in the file that checks if the person is a registered user (very easy to do, just use Vbulletin's own global php file)
In the check to see if the user is registered and if they are check the file exists in your download folder.
Check extension of the file and output correct headers.
Use file_get_contents or a similar method to echo the content out to the client.


Now regarding the htaccess file.

If for example you want your downloads to look like:-

http://www.mydomain.com/download/file.ext

make a folder in your root directory called download.
Create a .htaccess file that rewrites the address to http://www.mydomain.com/download/script.php?file=file.ext (in the php file ensure of course that only allowed chars are in the file name to ensure that people cannot traverse your server and download anything they want).

 

[maximum]

As Peter suggested, move downloads to a directory outside root (non browser accessable directly).

<?
if(!isset($_COOKIE['bbuserid']) || !isset($_COOKIE['bbpassword'])){
die("You are not logged in!"); }
if($_GET['file'] == ""){
die("No file specified."); }
if(!isset($_GET['file'])){
die("No file specified."); }
$filename = $_GET['file'];
if(!file_exists("/path/to/hidden/files/".$filename)) {
die("The requested file could not be found"); }
readfile("/path/to/hidden/files/$filename");
exit();
?>

Not exactly the most secure (call me an amateur :] ), and requires cookies enabled (I haven't looked into sessions for vBulletin). But the login cookies for it are those (bbuserid & bbpassword). You could also check into comparing those values with the database of users, incase browser doesn't have cookies turned on (ie: sessions being used). Something to consider, also, is the file formats, and how they may be treated (ie: normally displayed like text files, versus forced downloads for textfiles). For more info on that, see PHP.net's header() manual.

 

[tm]

Look into headers on the php manual.
http://uk2.php.net/manual/en/function.header.php
Specifically

<?php
// We'll be outputting a PDF
header('Content-type: application/pdf');

// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

// The PDF source is in original.pdf
readfile('original.pdf');
?>

 

[Peter]

The following will work. All you have to do to change it is change $download_folder to the server path to your download folder (with a trailling slash) and change the path in the chdir line to the server root path of your forum.

Also you will see comments at the bottom where you will have to output the header and also where you output the content of the file. If the file is large as you have already stated then increase your script maximum execution time using a line similar to the following (changing the 300 to the number of seconds you want it to run for):-

ini_set("max_execution_time", "300")

Also remember to delete the line i put that outputs the path of the download file i put that there to ensure all was ok.

<?php
$download_folder = '';
chdir('/path/to/your/forum/root/');

error_reporting(E_ALL & ~E_NOTICE);

define('THIS_SCRIPT', 'download');

$phrasegroups = array();

$specialtemplates = array();

$globaltemplates = array();

$actiontemplates = array();

require_once('./global.php');
if ($vbulletin->userinfo['userid'] === 0)
{
 echo 'Please log in before downloading files.';
 exit();
}
if ($_GET['file'] && preg_match('/^[_.A-Za-z0-9]+$/', $_GET['file']) && is_file($download_folder.$_GET['file']))
{
	// Output headers
	// output content of file
	echo 'file is '.$download_folder.$_GET['file'];
}
else 
{
	echo 'Invalid link followed.';
}
?>

 

[unknowngiver]

hey guys
great so far it works
but i cant seem to get the header thing to work...how do i make it so that ANY file can be downloaded [like in the php manual..they specify that its a PDF] ?
i know that mostly i will be uploading .ZIP and .RAR files

also..second question..how do i make it that it uses the Vbulletin theme and stuff..so that it looks like a part of vbulletin forum...like on namepros...u have the domain management which is embeded in vbulletin

 

[Eric]

hey guys
great so far it works
but i cant seem to get the header thing to work...how do i make it so that ANY file can be downloaded [like in the php manual..they specify that its a PDF] ?
i know that mostly i will be uploading .ZIP and .RAR files

also..second question..how do i make it that it uses the Vbulletin theme and stuff..so that it looks like a part of vbulletin forum...like on namepros...u have the domain management which is embeded in vbulletin

what vBulletin version are you using?

For 3.5.x or 3.6.x something like:

<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
// uncomment if outside your forum root
//chdir('/path/to/your/forum/root/');

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'download');
define('DL_FOLDER', '');

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array();

// get special data templates from the datastore
$specialtemplates = array();

// pre-cache templates used by all actions
$globaltemplates = array();

// pre-cache templates used by specific actions
$actiontemplates = array();

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');

if ($vbulletin->userinfo['userid'] == 0 OR !($permissions['forumpermissions'] & $vbulletin->bf_ugp_forumpermissions['canview']))
{
	print_no_permission();
}

// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################
if (isset($_GET['file']) AND preg_match('#^[_.a-z0-9]+$#i', $_GET['file']) AND is_file(DL_FOLDER . $_GET['file']))
{
	// determine file type, and output appropriate headers & file content
}
else
{
	eval(print_standard_redirect('Invalid download link specified', false));
}

//
$navbits = construct_navbits(array('' => 'Download'));
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('yourdltemplate') . '");');

?>

replace 'yourdltemplate', with the var_name of the template you make for the download page.

 

[Jim_]

Just use a generic mime type like 'application/octet-stream' for everything. :p

 

[unknowngiver]

what vBulletin version are you using?

For 3.5.x or 3.6.x something like:

<?php

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
// uncomment if outside your forum root
//chdir('/path/to/your/forum/root/');

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'download');
define('DL_FOLDER', '');

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array();

// get special data templates from the datastore
$specialtemplates = array();

// pre-cache templates used by all actions
$globaltemplates = array();

// pre-cache templates used by specific actions
$actiontemplates = array();

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');

if ($vbulletin->userinfo['userid'] == 0 OR !($permissions['forumpermissions'] & $vbulletin->bf_ugp_forumpermissions['canview']))
{
	print_no_permission();
}

// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################
if (isset($_GET['file']) AND preg_match('#^[_.a-z0-9]+$#i', $_GET['file']) AND is_file(DL_FOLDER . $_GET['file']))
{
	// determine file type, and output appropriate headers & file content
}
else
{
	eval(print_standard_redirect('Invalid download link specified', false));
}

//
$navbits = construct_navbits(array('' => 'Download'));
eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('yourdltemplate') . '");');

?>

replace 'yourdltemplate', with the var_name of the template you make for the download page.

and what do i put in the new template :S

 

[unknowngiver]

hey
looking at the vbadvanced portal i made this:

$stylevar[htmldoctype]
<html dir="$stylevar[textdirection]" lang="$stylevar[languagecode]">
<head>
<title>$vboptions[hometitle] <if condition="$pagetitle">- $pagetitle</if></title>

$headinclude

<if condition="$show['inlinemod']"><script type="text/javascript" src="clientscript/vbulletin_inlinemod.js"></script></if>

</head>
<body>

$header

$navbar


<table align="center" class="page" cellspacing="0" cellpadding="0" width="100%">
<tr valign="top">

<if condition="$show['left_column']">

<td width="$vba_style[portal_leftcolwidth]">

$home[leftblocks]

</td>

<!-- Spacer Cell -->
<td width="$vba_style[portal_colspacing]"><img alt="" src="$vboptions[bburl]/$vboptions[cleargifurl]" width="$vba_style[portal_colspacing]" /></td>
<!-- / Spacer Cell -->

</if>



<td valign="top">

DOWNLOAD WILL BE HERE

</td>
</if>


<if condition="$show['right_column']">

<!-- Spacer Cell -->
<td width="$vba_style[portal_colspacing]"><img alt="" src="$vboptions[bburl]/$vboptions[cleargifurl]" width="$vba_style[portal_colspacing]" /></td>
<!-- / Spacer Cell -->

<td valign="top" width="$vba_style[portal_rightcolwidth]">

$home[rightblocks]

</td>
</if>

</tr>
</table>

$footer

</body>
</html>

but now how do i add the download thing in there? Since templates cant hold PHP code

p.s: yes now i have 3.6

 

[tm]

Link to another page that has php...

 

[unknowngiver]

hm? there is no other page..this is the page...download.php

 

[unknowngiver]

bump

 

[Alex.]

you save the first script into a folder, and the template into your template folder.
then make sure the link to the temp. at the bottom of the script is right, and by the sound of it you should be good to gm.
though i might be wrong, i know nothing about VB.

 

[unknowngiver]

the page works...but the program is...that the output from the php file is shown at the very top ...and the output in the template is shown where it should be...but i cant use php in the template

 

[unknowngiver]

bump