I've got some free downloads on my site and I want to stop people from downloading them without going through the correct page. Basically all of my downloads are in a directory like so: root/downloads/download category/files I want to stop people from just typing the url of a file into there browser and having the file. I've got a file which counts how many people have downloaded files and re-directs them to the download file. I want this to be the only way someone can access the files. I am using c language (on Tandem system) and to open that file i used <a> tag in html file. is thr any Java script solution for above Thanks,
no. move your files into a different location. for example, if at resent you have /files/myfile.zip and download that via: script?file=/files/myfile.zip change your script to use just 'myfile.zip' and configure it to pre-pend the path automatically upon the redirect - so it can be in /SADSAsdasdasdasd3242/ in PHP that would go as... <?PHP $path = getcwd() . "/SADSAsdasdasdasd3242/" . basename($_GET['file']); // secure, no way to fetch files outside of the pre-set directory if (file_exists($path)) { // increment counter here... // redirect header("Location: $path"); die; } ?> PHP: this way it won't be obvious to the users how to compose a url that will fetch them the file. it is still not a 100% foolproof way - if anyone has some http headers debugger, they can grab the redirect url and see you are really sending from /SADSAsdasdasdasd3242/myfile.zip - but it makes it much harder for 'common joe' to do it. to achieve a 100% safe way, move the files into a folder thats outside of your httpdocs / public_html, like ../private. change your script to open the file, read it and pipe the contents down to the browser with the appropriate content type.
Hi dimitar christoff, Thanks for solution.. But I am not using PHP its normal C programing and it displays html pages through CGI so I can use only c or Javascript.. currently I am using simple <a> tag. is thr any other way to hide url from address bar or on click of that link that should ask for open or save option Instead directly open file in another browser .... Thanks,
mate, what i wrote should be treated as pseudo code. the principle is the same - no matter if your site is powered by php, asp, cold fusion, python, perl or other cgi. the fact that you use C does not mean you cannot do what is being suggested. for example, okcupid runs on C.... via js, you can achieve masking of urls to a degree, for example, i wrote a script that hides email addresses from links the other day. i guess if you are being smart and use some sort of a simple encryption (even rot13 will do) to encode url components, you can quickly put them back together under the click event and go to the right file. i wrote a small example for you in mootools that can turn all links of a specific kind/class to an obfuscated version of themselves. a link that can look and work as http://domain.com/download.cgi?file=/downloads/myfile.zip gets broken down into this: <a href="#" class="myLink" title="{'svyr':'zlsvyr','rkg':'mvc','cngu':'/qbjaybnqf/'}">click me</button> which really is the following json string run through rot13: <a href="#" class="myLink" title="{'file':'myfile','ext':'zip','path':'/downloads/'}">click me</button> and the semantic js code that can take all links of class myLink, decode the rot13 and compose the correct href property then hijack the click into a function, goes something like this: <a href="#" class="myLink" title="{'svyr':'zlsvyr','rkg':'mvc','cngu':'/qbjaybnqf/'}">download latest release</a> <script type="text/javascript"> String.implement({ rot13: function() { // extend strings prototype to support rot 13, and offset of a a-z string by 13 chars to encode or decode it return this.replace(/[a-zA-Z]/g, function(c) { return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26); }); } }); window.addEvent("domready", function() { // hidden file links, dependencies: JSON var countScript = "qbjaybnq.ptv?svyr"; // download.cgi?file $$("a.myLink").each(function(el) { var linkProperties = JSON.decode(el.get("title").rot13()); el.set({ events: { click: function(e) { e.preventDefault(); window.location.href = "/" + countScript.rot13() + "=" + linkProperties.path + linkProperties.file + "." + linkProperties.ext; } }, "title": "click to download" // fix mouseover }); }); // end links change }); // end domready </script> PHP: obviously, this will help / prevent users from getting the link from the source code and applying it manually or copying the link location to clipboard. but its not unhackable by any means... also, if you don't use the mootools framework - then treat this javascript as pseudo code also, a proof of concept here is the working example: http://fragged.org/dev/mootools_hiding_link_target.php