Serving an uploaded file to download

Discussion in 'Programming' started by Triexa, Jul 24, 2008.

0
  1. #1
    So users will upload files and other users will later download them.

    I can think of three methods:
    1) Store upload data in database
    2) Store in a folder below document root, then when a valid suer requests file, temporarily copy it to web-accessible folder
    3) Store it in a folder with some obfuscated name

    My original thoughts were #2 but that wouldn't really work if I have multiple web servers because on request they may reach a server that doesn't have the file yet. Plus to keep servers in sync would be lots of transfer between servers depending on file size.

    With #1 you of course end up with a much larger database.. more annoying to backup... and you have to handle MIME types.

    What are your thoughts?
     
    Triexa, Jul 24, 2008 IP
  2. Vooler

    Vooler Well-Known Member

    Messages:
    1,146
    Likes Received:
    64
    Best Answers:
    4
    Trophy Points:
    150
    #2
    Storing files in database is strictly not recomended if they are larger than 1 kb = 1000 bytes.
    When such database is extensively used, it has been noticed that tables containing files' binary data become corrupt.

    Alternatively, if you are using a linux/unix server with apache it is secure to put the uplaoded files in a folder. and then put a new file called .htaccess in same folder with following code:

    DENY FORM ALL

    which will not accomodate any requst through http, https, but yet your script can access them.

    Step 2:

    Once uploaded and saved their id/name/etc to database, do the following to authnticate the download

    *CHECK AUTHORIZED ENTRY
    *IF YES
    -----header("Content-type: FILE_MIME_TYPE_GOES_HERE"); //e.g. image/png
    -----header("Content-length: ".filesize("FULL_PATH_TO_FILE"));
    -----header("Content-disposition: attachment; filename=CUSTOM_FILENAME_GOES_HERE");
    -----readfile("FULL_PATH_TO_FILE");
    *ELSE
    -----SHOW ERROR MESSAGE


    I hope it helps
     
    Vooler, Jul 25, 2008 IP
  3. hpower

    hpower Peon

    Messages:
    99
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    just what i was looking for
     
    hpower, Jul 25, 2008 IP
  4. Triexa

    Triexa Active Member

    Messages:
    580
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    53
    #4
    Doesn't readfile() actually cause increased server load since it is reading the file THROUGH PHP and therefore bringing it into memory?
     
    Triexa, Jul 25, 2008 IP
  5. Vooler

    Vooler Well-Known Member

    Messages:
    1,146
    Likes Received:
    64
    Best Answers:
    4
    Trophy Points:
    150
    #5
    I am not sure about replacing header("Location: PATH_TO_FILE"); will work becuase we already have denied access to the folder. The other way to get this header thing working is, put an empty index.html not .htaccess in the folder, a folder which name is random.

    Instead of
    -----readfile("FULL_PATH_TO_FILE");

    Use
    header("Location: FULL_PATH_TO_FILE");

    It requires testing, either alreayd sent headers do act as desired or not, BUT using this method, files dont remain 100% secure, if users know exact url, they can access them.


    The other way is we write our own readfile equvilant function with timeout paameter + flushing of data of certian packet in size.

    regards
     
    Vooler, Jul 25, 2008 IP