| Author |
 Topic  |
|
tribaliztic
Senior Member
Sweden
1532 Posts |
 Posted - 06 July 2004 : 06:46:58
|
I was going through some old bookmarks and found this, did anyone make anything good of this?
http://forum.snitz.com/forum/topic.asp?ARCHIVE=true&TOPIC_ID=48686
I would like to have a file library where there are no links to the files, so that you cannot send a link and have 200 peoples download a movie without going through my site. To just be logged in is not enough apparently.
|
/Tribaliztic
- www.gotlandrace.se -
|
|
|
tribaliztic
Senior Member
Sweden
1532 Posts |
Posted - 11 January 2005 : 09:29:17
|
Oops, no answers? Are all of you letting people suck out all of your valuable bandwidth? ;)
|
/Tribaliztic
- www.gotlandrace.se -
|
 |
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 11 January 2005 : 09:50:15
|
You mean something like what I do on MeTV? (username: test, password: snitz)
What I do is store the URI of each file in the database with a unique id and then use a seperate file to handle the download which can be used to check if the refering link came from your domain, etc.
If this sounds like what you want, let me know and I'll post the relevant file for you.
|
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
tribaliztic
Senior Member
Sweden
1532 Posts |
Posted - 11 January 2005 : 11:31:52
|
Is there no way to get around that? =)
And do you have a nice page where you insert the url:s?
I'd LOVE to have a look at the code ;)
|
/Tribaliztic
- www.gotlandrace.se -
|
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 11 January 2005 : 12:17:52
|
No way to get around which bit?
Yeah, I have an admin area on my site where I can add/remove/edit files.
I'll give you a gander if you want but my code ain't exactly reader friendly! 
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
tribaliztic
Senior Member
Sweden
1532 Posts |
Posted - 11 January 2005 : 17:01:34
|
Well.. a way to download the files without going via your page with the refferer check I mean..
I code like a maniac, can't follow my own code sometimes so I think I'll give yours a try also ;)
|
/Tribaliztic
- www.gotlandrace.se -
|
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 11 January 2005 : 17:17:04
|
I have my files downloaded using a file id. Like download.asp?file_id=55
I have the script setup to mask the url to the file, so the person only sees he is downloading the file from download.asp?file_id=55 and not the actual location.
I am sure there are ways you can to restrict the downloads only to persons on your site. Like maybe checking the session id. But I haven't really thought about it. |
Support Snitz Forums
|
|
|
|
tribaliztic
Senior Member
Sweden
1532 Posts |
Posted - 11 January 2005 : 17:52:40
|
As long as any visitor can't just copy the url and post it on zillions of other sites It's fine. We need our bandwidth! =)
|
/Tribaliztic
- www.gotlandrace.se -
|
|
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 11 January 2005 : 21:25:23
|
| Davio, would you mind sharing the code to do that? I've been considering something like this for a little while now. |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 12 January 2005 : 06:37:57
|
tribaliztic, they'll still be able to copy and paste the download.asp?id=x link but, as long as you have a check to see that the link came from your site, you can serve them up an error message. Here's a simplified extract from my donwload.asp file that should point you in the right direction.if your check here then
set rs=my_conn.execute("SELECT URL FROM TABLE WHERE ID="&request.querystring("id"))
if not (rs.bof or rs.eof) then
server.scriptimeout=720
set objStream=server.createobject("ADODB.Stream")
objStream.open
objStream.type=1
objStream.loadfromfile server.mappath(rs("URL"))
response.addheader "content-dispostion","attachment;filename="&mid(rs("URL"),instrrev(rs("URL"),"\")+1)
response.charset="utf-8"
select case lcase(mid(rs("URL"),instrrev(rs("URL"))+1))
case "ext":response.contenttype="mime-type"
case else:response.contenttype="application/octet-stream"
end select
response.binarywrite objStream.read
objStream.close
set objStream=nothing
else
File not found error
end if
rs.close
set rs=nothing
else
Referer outside your domain error
end ifAs I said, this is an extremely simplified extract meant only to point you in the right direction. If you've got any more queries, let me know and I'll go into more detail when I've a bit more time on my hands.
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
tribaliztic
Senior Member
Sweden
1532 Posts |
Posted - 12 January 2005 : 10:15:41
|
Well, if it's just the refferer check that's the security I can use ordinary links.. Or?
There must be some way to only let logged on users download our files?
|
/Tribaliztic
- www.gotlandrace.se -
|
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 12 January 2005 : 10:23:45
|
Yep, include config.asp and inc_header.asp at the start download.asp and set download.asp to check if mlev>0. If you're doing this, don't forget to call writefooter at the end of download.asp.
Alternatively, you could set up a password protected directory on your server to hold your downloadable files.
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
tribaliztic
Senior Member
Sweden
1532 Posts |
Posted - 12 January 2005 : 10:44:59
|
So... I (somehow) make a page with links that are masked like davio is talking about, and then make that page check if the user is logged in or not. Then there shouldn't be any way a user can get to the file without going through that page AND clicking on the "hidden" link.. ? =)
|
/Tribaliztic
- www.gotlandrace.se -
|
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 12 January 2005 : 10:55:23
|
Exactly  Only additional thing I'd suggest if you're as paranoid as I am about this would be to give your downloads directory an obscure enough name as anyone who downloads a file will have your domain name and the name of the file, therefore all they'd need for the complete URL would be the directory name - if it has a generic name like "downloads" that's easy to guess, it won't take very long for someone intent on posting your files elsewhere to guess the direct URLs to all your files.
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
tribaliztic
Senior Member
Sweden
1532 Posts |
Posted - 12 January 2005 : 11:00:03
|
Shaggy: Offcourse =)
Davio: do you mind sharing your code?
|
/Tribaliztic
- www.gotlandrace.se -
|
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 12 January 2005 : 14:48:45
|
Here's the code for my download.asp file. It is very similar to Shaggy's own.<% Option Explicit
Dim id
Dim ConnString, Conn, strSql, rsMod
Dim adoStream, objFSO, objFile
Dim strFilePath, strPhyPath, strFileName, strFileSize, dteModDate
Dim intErrCount
intErrCount = 0
id = Request.QueryString("file_id")
if id <> "" and IsNumeric(id) then
ConnString = "driver={MySQL ODBC 3.51 Driver};server=*****;uid=*****;pwd=*****;database=*****" '## MySQL
set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open ConnString
'### Get the path to the file from database
strSql = "SELECT FILE_PATH FROM MOD_NAME WHERE FILE_ID = " & CInt(id)
set rsMod = Server.CreateObject("ADODB.Recordset")
rsMod.open strSql, Conn
'Check if file exists
if rsMod.EOF or rsMod.BOF then
ErrorMsg()
intErrCount = 1
else
'Store relative and physical file path in variables
strFilePath = rsMod("FILE_PATH")
strPhyPath = Server.MapPath(strFilePath)
end if
rsMod.close
set rsMod = nothing
if intErrCount = 0 then
'if there were no errors, we update the download count for this file,
'and get the file to begin download
dteModDate = year(Now()) & doublenum(Month(Now())) & doublenum(Day(Now()))
'### Update database with new download count
strSql = "UPDATE MOD_INFO SET DOWNLOADS = DOWNLOADS + 1, DOWNLOAD_DATE = '" & dteModDate & "' WHERE FILE_ID = " & CInt(id)
Conn.Execute(strSql)
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.GetFile(strPhyPath)
Set adoStream = Server.CreateObject("ADODB.Stream")
adoStream.Open
adoStream.Type = 1
adoStream.LoadFromFile strPhyPath
strFileName = Mid(strFilePath, InStrRev(strFilePath, "/")+1) 'the file name
strFileSize = objFile.Size 'file size
Response.ContentType = "application/zip" 'type of file they will be downloading
Response.AddHeader "Content-Disposition", "attachment;filename=" & strFileName & "" 'forces the save/open box
Response.AddHeader "Content-Length", strFileSize 'optional: send file size to browser
Response.BinaryWrite adoStream.Read
Response.Flush
adoStream.Close
Set adoStream = nothing
Set objFile = nothing
Set objFSO = nothing
end if
Conn.Close
set Conn = nothing
else
'call error message when id is empty or is not a number
ErrorMsg()
end if
function doublenum(Num)
if Num > 9 then
doublenum = Num
else
doublenum = "0" & Num
end if
end function
%> |
Support Snitz Forums
|
|
|
|
Topic |
|
Topic Locked
