0

Sorry if my question is not clear but what I want is if I just entered a download link into my browser (ex. domain.com/download.php?file=somefile) It will redirect to download page of the file and will not download the file But if it was submitted by form from download page it will download the the file Is it possible to do this in php? thank you in advance for someone that can help me

Sorry.. I see now that this was already ask.. but because I'm still new to php, I never saw it first because I don't know that it's called csrf protection/prevention until now

kaizer
  • 1
  • 1
  • Sounds like a job for [CSRF](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)). What does your form look like? Is it doing a GET request to the download URL when submitted? Please add the form to your question. – M. Eriksson Jul 05 '18 at 06:09
  • on successful form submission add some value to the session, i.e $_SESSION[download]="approved"; then verify it on download page. – Tom Jul 05 '18 at 06:13
  • Here is my form
    – kaizer Jul 05 '18 at 06:21
  • In your dl.php file you can check the $_SERVER['HTTP_REFERER'] if the returned result is not what you expect then redirect to the download page otherwise process the request. –  Jul 05 '18 at 06:26
  • Let check that..sorry I'm still a newbie to php so almost every answer I need to google it first to learn what it does – kaizer Jul 05 '18 at 06:28
  • Thank you jeff..looks like thats exactly what I need...thanks also to sir magnus and tom – kaizer Jul 05 '18 at 06:31
  • **Warning:** The `HTTP_REFERER`-header is not only insecure (since it comes from the client and can be manipulated), it isn't always set. There are routers and software that omits that headers for privacy reasons. Since you probably want this working for as many people as possible, you should look at the duplicate link instead (where you change `uniqid()` to `bin2hex(random_bytes(16))` instead for better pseudo randomness). – M. Eriksson Jul 05 '18 at 07:39
  • I changed my mind and now trying to use SESSION but my problem now is that in my chrome browser it always accept and in uc browser it always deny..maybe I'll try cookies instead – kaizer Jul 05 '18 at 08:01

0 Answers0