How to Hide Download URL

We have download simple download.php file that download files and that download.php is placed in the theme folder of WordPress, we have custom field "download_url" while adding new post and we paste download url in "download_url" field.

When user click on Download Now button it downloads the file, the issue is as I have mentioned above that download.php is placed in theme folder of WordPress so link to that download.php look extremely ugly, its something like site.com/wp-content/themes/mytheme/download.php

and the download link looks like:

site.com/wp-content/themes/mytheme/download.php?file=folder/subfolder/file.zip

We can't move the download.php to root folder as it creates issues.

Can anybody please help or suggest a solution that we can hide or adjust the URL so it may look good to eyes.

here is what we have in download.php file

<?php
$filename = $_SERVER["DOCUMENT_ROOT"] . '/' . $_GET['file'];

if(ini_get('zlib.output_compression'))
ini_set('zlib.output_compression', 'Off');

$file_extension = strtolower(substr(strrchr($filename,"."), 1));

switch($file_extension){
    case "pdf": $ctype="application/pdf"; break;
    case "exe": $ctype="application/octet-stream"; break;
    case "zip": $ctype="application/zip"; break;
    case "doc": $ctype="application/msword"; break;
    case "xls": $ctype="application/vnd.ms-excel"; break;
    case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
    case "gif": $ctype="image/gif"; break;
    case "png": $ctype="image/png"; break;
    case "jpeg":
    case "jpg": $ctype="image/jpg"; break;
    default: $ctype="application/force-download";
}

if(file_exists($filename)):
    $pos = strrpos($filename, '/');
    $substr = substr($filename, $pos);
    $file_name = str_replace('/', '', $substr);
    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
    header('Content-Type: application/octet-stream');
    header('Content-Type: application/vnd.android.package-archive');
    header("Pragma: public");
    header("Expires: 0");
    header("Cache-Control: private", false);
    header("Content-Type: $ctype");
    header("Content-Disposition: attachment; filename=" . $file_name);
    header("Content-Transfer-Encoding: binary");
    header("Content-Length: ".filesize($filename));
    readfile($filename);
else:
    echo "<h1>File not found!</h1>";
endif;
?>

PHP:

 

I'm not sure how you get the location of the file but I'm thinking that you could create an index number which references to the specific file. So you your url would change to something like download_file.php?filenumber=1 . PHP would check some sort of database which references 1 to the location of the file on the server and return the file without showing the direct location. Hope this explanation doesn't confuse you more.

 

Hi,

Thanks for your time. can we achieve this thing with .htaccess?

 

maybe easy used url shotter such goo.gl ??

 

Not possible links are in thousands.

 

I'm not sure if this will help but there are services that dynamically generate download link that are temporary like 24 or 48 hours then they get removed such service I use to use was 1shoppingcart.com for selling digital downloads. In any case maybe something along those lines will do the trick for you (just giving an idea here hope it helps).

Dan

 

What I'm wondering is why moving the download.php-file to the root causes issues - what issues? From the looks of the file, it doesn't really seem it should interfere with anything, so I'm assuming it's something else causing problems, I'm just wondering what?

 

Horribly insecure doesn't even start to describe this. Remove this right now and change all your passwords. Consider everything on your server compromised.

If you're curious as to why, consider this URL.

download.php?file=../../wp-config.php

Code (markup):

As for your (other) problem, you can also use .htaccess to rewrite the URLs, but the path (or part of it) would still be visible in the URL.

Alternatively, you could probably put an .htaccess file in the download folder, which would add the necessary headers to the files, to force the download. And then you'd just link directly to them.

<FilesMatch "\.(jpg|pdf|exe|doc)$">
    ForceType application/octet-stream
    Header set Content-Disposition attachment
</FilesMatch>

Code (markup):

Although, most of these files, like .exe, .zip, .xls, etc... will automatically be downloaded by the browser anyway. The only ones you should be concerned about are probably images and PDFs.

 

There is also window.history property to change the url from a browser (client side, js) not letting them knowing exactly what is the path.
But you will need to work out with apache/nginx rewrite rule in case you want it more fancy + add session so that a file can't be loaded from multiple ips (or after 24 hours, etc)