How can I secure folder so user can not download media file form that folder

Question

I am developeing a online video selling website in PHP. To download the specific video user pay perticular amount, then i provide a link to download video. I used following code to provide a download link to user.

header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;

I have stored all the videos in a particular folder. How can I prevent user to prevent user so that they can not look through that video folder and can not download videos for free. or can not grab website and download all content.

Easiest solution: Place the videos outside of the webserver's docroot. — Till Helge, Apr 29 '13 at 10:42
`header('Content-Type: application/octet-stream');` — Use the correct content-type for the video format you are using. — Quentin, Apr 29 '13 at 10:42

score 5 · Answer 1 · answered Apr 29 '13 at 10:41

5

Keep the folder outside the server's DocumentRoot, so the files can only be accessed through your script.

answered Apr 29 '13 at 10:41

Quentin

914,110
126
1,211
1,335

can you please give some example path for that location outside the DocumentRoot? – Vinoth Babu Apr 29 '13 at 10:55
(i.e) outside the folder www ? – Vinoth Babu Apr 29 '13 at 10:57
Outside whatever `DocumentRoot` (or the equivalent if you aren't using Apache HTTP) is. – Quentin Apr 29 '13 at 10:58

Vinoth Babu · Accepted Answer · 2013-04-29T11:05:34.990

1

You can make that folder as Forbidden in which you have media files using htacess.

RedirectMatch 403 ^.*/sub/folder/index\.php$

(OR)

<Directory full-path-to/USERS>
     Order Deny,Allow
     Deny from All
</Directory>

edited Apr 29 '13 at 11:05

answered Apr 29 '13 at 10:58

Vinoth Babu

6,724
10
36
55

score 0 · Answer 3 · answered Apr 29 '13 at 10:42

0

store in a database what files the user has purchased and run a check in your download script if that user is allowed to download that file, if not redirect them.

answered Apr 29 '13 at 10:42

MadDokMike

182
5

for eg. i have five file in videoupload folder, and somehow user manage to get the path of that list, how can i prevent user so that they can not get path, or even if they manage to get path somehow they can not directly download file using that path i.e. www.xyz.com/videouploads/1.mp4 – Sumit P Makwana Apr 29 '13 at 10:51
well when the user pays for the file/ actions an order for it, you generate a unique key (string/integer) for that instance, store it in the DB then pass that key along in the url to the download link, then check it against your DB before you give access to the user to download the file. so do the check before all your header() calls then if the check fails, redirect the user to a stop trying to steal my files pages :D – MadDokMike Apr 29 '13 at 16:11

How can I secure folder so user can not download media file form that folder

3 Answers3