Secure “Hidden” File Save PHP

Old 4 Comments on Secure “Hidden” File Save PHP 31

Protecting your valuable computer file is important!  And you want only who paid for it, to download it, right? Some webpages say it is impossible to hide a file from being saved, but my team came up with a solution. We fully integrated php with mySQL to positively make sure you can’t share your link with a friend. We could do this with IP, but that is to vulnerable to proxies. Also, opening up a file can be traced back to “http://example.com/Download.mp3”. Here is a simple PHP script to help secure your save file.


 <?php
 /*
 Secure Download Script
 (C) 2014 TACTIIAN STUDIOS LLC
 Developed by Katy Pillman and Nathan Pillman
 -----------------------------------------------
 MYSQL:
 CREATE TABLE IF NOT EXISTS `save` (
 `sessionID` varchar(500) NOT NULL,
 `IP` varchar(500) NOT NULL DEFAULT 'n/a',
 `location` varchar(5000) NOT NULL,
 `expired` varchar(25) NOT NULL DEFAULT 'FALSE'
 ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
 */
// You may verify that domain is "http://files.example.com/Download" if you like!
$actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";

// Variables, DO NOT TOUCH!
$test = "good";
$block = 'BAD';

// Set Login Information
$dbhost = 'localhost';
$dbuser = 'username';
$dbpass = 'password';
$dbname = 'database-name';

$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}
// If IP Lock, use variable $ip
$ip = $_SERVER['REMOTE_ADDR'];

$key = $_GET['key'];
$sql = "SELECT * FROM `save` WHERE `sessionID` = \"".$key."\"";
mysql_select_db($dbname);

$retval = mysql_query( $sql, $conn );

if(! $retval )
{
die('Could not find file!');
}
$info = mysql_fetch_array( $retval );
$data = $info['location'];
$valid = (string)$info['expired'];

// Updates expired to true, to remove re-download
$sql2 = "UPDATE `save` SET `expired`= \"TRUE\" WHERE `sessionID` = '".$key."'";
mysql_select_db($dbname);
$result = mysql_query( $sql2, $conn );

// Finsh MySQL work
mysql_close($conn);

// If it does not equal FALSE, block save, this will help from a .php file being installed if there is no
// real file.
if($valid != "FALSE")
{
$test = $block;
}
if($test != $block)
{
// Edit to fit file settings, $data contains full URL grabbed from Database
header('Content-Disposition: attachment; filename="'.basename($data).'"');
header("Content-Transfer-Encoding: binary");
header("Content-Type: audio/mpeg, audio/x-mpeg, audio/x-mpeg-3, audio/mpeg3");

readfile($data);

}else
{
// Redirect page, 404 will be best suitable if not homepage
header('Location: http://example.com/404');
exit();
}

?>

This file is small, yet effective! It is a life saver for people new in the industry of file-sharing premium files.  This script could be even more secured and modified for IP lock as well as login lock. Feel free to use it commercialy, but email me in advanced!
dev@mail.tsiserver.us

Author

Katy Pillman

Katy Pillman is the Lead Programmer for Tactician Studios LLC. She is young, but experienced in the technical field, and writes in her free-time. △ ◎ × □

Related Articles

4 Comments

  1. Dave July 11, 2014 at 10:52 am

    I would just like to say, that you should not be using mysql_* functions. Use MySQLi or PDO with prepared statements. The mysql_* functions are not safe, and are deprecated.

    Also your key variable is directly getting data from the url, it does not even sanitize the data, which can lead to SQL injection, which can be a huge security flaw.

    • Katy Pillman July 11, 2014 at 12:28 pm

      This is the ‘stripped’ down version of what you should use. Full security measures can include domain as well as IP check. There are many ways to improve this, but for a new-comer, this is a great start. Also, ban all IP’s who even try a mySQL injection, they obviously want to pirate the software, correct?

      • Dave July 11, 2014 at 2:51 pm

        Yes, but “new-comers” dont have the skill as soon as they learn PHP to detect all SQL injection, then ban an IP address. It would be better to prevent SQL injection in the first place. Banning IPs should not be heavily relied on. What if the person changes their ip, or if it changes automatically? What about proxies, VPNs, and TOR? If they want to SQL inject your site, they will. Mysql_* functions are obsolete and should not be used. PDO is more secure.

        • Katy Pillman July 11, 2014 at 3:16 pm

          Banning an IP is an option. There are many more ways to protect this page. If a user does not know a Key, you can easy generate all the keys to a specific length and definite char values at indexOf(*). If these demands are met, don’t even contact any database. This is a free ‘stripped’ down version of an example. It is not perfect, that is because its free! Use whatever mySQL functions you want, but this is an example that is FREE.

Leave a comment

Back to Top