Welcome Guest, Not a member yet? Register   Sign In
Downloading zip files and securing folders


I need a bit of advice regarding securing download folders. I've got my CI powered site running nicely (http://www.cbsnooper.com) but am making various enhancements over the coming months.

Im using DX Auth for the membership system. I'm going to be offering some free stuff to download for the members. The link to download will be available via their dashboard.

I'm wanting to know the best way to secure the download folder so none members can't get at it using google and 'site:www.cbsnooper.com filetype:zip' or whatever. I know I can set up a robots.txt and put an empty index.html file in the folder, but what is the best practice for this sort of thing, so users can't directly access stuff they shouldn't.



[eluser]Evil Wizard[/eluser]
store the downloads outside of the web root, that way browsers and bots cannot access your files, and pass the user a link to a download controller that would verify the users id and logged in status before using php to read in the contents of the file to a variable and pass to the download helper. That way you can log which users are downloading the files, which files are the most popular and so on. For Kernals sake though avoid anything along the lines of "../../path/to/download/filename.ext" thats leaving yourself open to... well exploits lol

e.g. store in ../downloads

Force download in controller:
// (...) do something to authenticate visitor

// Fetch download filename from database
$filename = $this->downloads->fetch((int) $this->uri->segment(3))
$file = '../downloads/' . filename ;

// Read file contents and force download
if (file_exists($file) && is_file($file)) {
    $data = file_get_contents($file);
    force_download($filename, $data);
else {
    show_error('Sorry, this file does not seem to exist');

Thanks for the info and code. That's more or less how I was going to do it. I was just unsure about the folder getting indexed by G.



Personally, I hate putting anything above my htdocs (I prefer everything in one folder). So, what you could do, make a ./downloads folder and put in a broken .htaccess file (or a valid file which prevents downloads) in the downloads folder. If anyone tries to access the files, they'll get an error, and you can still read the file and stream it to the browser.

[quote author="Thomas Hunter" date="1252015554"]...put in a broken .htaccess file (or a valid file which prevents downloads) in the downloads folder.[/quote]

I have no qualms with putting it above the virtual root, but if you do need to put it in the virtual root (hosting config, preference, etc.) as Thomas suggests, the .htaccess file for that folder has very simple syntax:

deny from all

Theme © iAndrew 2016 - Forum software by © MyBB