Help with download script

Question

doctorphp

13 Years Ago

Hi everyone. I am trying to build a script where a user of my website can download files. I have a problem. My site has two different user types, Free and Premium at the moment the only protection I have on the script is to check whether the user is logged in. I am trying to add some protection to the premium files so that the user cannot download it if they do not have a premium account. To download a file the user has to click on a link (download.php?id=1234ABCD). I am a bit worried that if someone shares a link to a premium file someone will be able to download it if they are not a premium member. Here is my download code.

<?php
require 'connect.php';
require 'include/functions.php';
if(isset($_COOKIE['username']))
{

$user_sql = mysql_query("SELECT * FROM users WHERE username='" . $_COOKIE['username'] . "'");
$user_fetch = mysql_fetch_assoc($user_sql);

$sql = mysql_query("SELECT * FROM files WHERE link='" . $_GET['uid'] . "'");
$row = mysql_fetch_assoc($sql);
$path = '627f7603682bd4e725252c47bf9fecb41b602277a4d5/' . $_GET['uid'] . '.zip'; 
$filename = $row['file'];

$type = $row['type'];

if($type==0)
{	
	$type = "Free";
}
else
	$type = "Premium";

if($user_fetch['premium']==0)
{
	$speed = 325;
}
else
	$speed = 650;
	

if(file_exists($path) && is_file($path)) {
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-type: application/octet-stream"); 
header("Content-disposition: attachment; filename=" . $filename . " (" . $type . ").zip"); 
header("Content-Length: " .(string)(filesize($path)) );
header("Content-Transfer-Encoding: binary\n");


flush(); 

   $fd = fopen($path, "r"); 
   while(!feof($fd)) { 
         echo fread($fd, round($speed*1024)); 
       flush(); 
       sleep(1); 
   } 
   fclose ($fd);
}

$id = rand(000000,999999);
$id = md5($id);
$id = substr($id, 0, 12);

$timedate =  date('l jS F Y - h:i');


mysql_query("INSERT INTO user_downloads VALUES('" . $id . "','" . $_COOKIE['username'] . "','" . $filename . "','" . $row['type'] . "','" . $timedate . "','" . date('dmy') . "','" . date('m') . "','" . date('Y') . "','" . getRealIpAddr() . "')");
}
else 
header("location: index.php?ref=dlnoexist");

header("location: index.php?ref=nologin");
?>

I have tried adding

if($type==1&&$fetch['premium']==1)
{ 
//download 
}
else
if($type==1&&$fetch['premium']==0)
{ 
header('location: index.php?ref=notpremium');
}
?>

But it wont work and I don't know what to do if the user tries to download a free file. Please could I have some help and I am sorry I have not provided enough information.

Thanks in advance.

file-system mysql php

2 Contributors
1 Reply
180 Views
6 Hours Discussion Span
Latest Post 13 Years Ago Latest Post by chrishea

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

chrishea 182 Nearly a Posting Virtuoso · Answer 1 · 2011-03-13T07:12:19+00:00

You should be keeping the login status in a session variable and then check that where needed to allow (or prevent) the user to take specific actions. As you have already realized, you can't count on parameters attached to the URL to control this for very long.