PHP Form + Protected File Download = Headache

[tuffgong]

I'm trying to figure out how to take data entered into a form and export it to a database, then allow whoever filled the form out to download a protected file.

I'm a PHP n00b and don't really know any MySQL. This came up out of nowhere and even though I am in the process of learning PHP and MySQL, I need to figure it out fast.

Any other methods are welcome

 

[Elledan]

You might want to do secure transfer of the data for the first part using RSA or HTTPS, then do an on-server check of the data. The download itself should ideally be provided using a randomly generated link (random folder the file is placed in, only used once if possible. Soft link to redirect to the file without copying might be a good idea).

Hope this helps.

 

[wildfire99]

@People more knowledgeable than me: Is there a reason why you shouldn't do this with a simple query to mysql (it's not hard, really!), and then if it passes muster simply pull the file from a non-public directory somewhere and ship it to the client using fpassthru(), or readfile()? I did that once just to do simple transfers, setting the proper headers before sending:

header("Expires: 0");
	header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
	header("Pragma: no-cache");
	header("Content-type: $ctype");
	header("Content-Length: $fsize");
	header("Content-disposition: atachment; filename=$filename");
	header("Content-Transfer-Encoding: binary");

 

[webdes03]

wildfire99's option would probably work. I guess my question would be what type of file is in question, and whether "protected" simply means you don't want it generally available to anyone or if we're actually talking secure data and/or product download.

At the OP, can you give us some more details?

 

[Elledan]

Type of file and most importantly min/max filesize. You don't want to read a multi-GB file into RAM and have it spill over into swap, or just choke.

 

[tuffgong]

File will be 5-15 megs...a single PDF file. It's more about collecting data from the people downloading it than it is about security.

Thanks for the help!

 

[devman]

Just out of curiosity, a question for you DBA people. Would there be a problem with taking the aforementioned PDF the OP was talking about and storing it as a blob in the DB, then having the PHP fetch it and send it to the client?

Just looking for a 'best practices' type answer from the [H]'ers in the know

 

[Elledan]

In general it's considered bad practice to store binary blobs of significant (more than a few kB) in a DB. This mostly because it's not what DBs are meant for, and secondly because it's less efficient than reading it from disk, especially if the DB server is not local(host).

To the OP: if security is not a big issue, then either of the suggested approaches would work. It's more about whether people downloading directly from the URL instead of using your provided method would mess up your results.

Wildfire99's method is the most secure one at any rate.

 

[tuffgong]

I've got my form ready and it's successfully appending my SQL database. However, I still can't figure out how to send the file using fpassthru(). For some reason, my browser tries to display the zip file instead of downloading it.

[SIZE=3]{ 
  $FileName = "yay.zip"; 
  //header("Content-Type: " . mime_content_type($FileName)); 
  // if you are not allowed to use mime_content_type, then hardcode MIME type 
  // use application/octet-stream for any binary file 
  // use application/x-executable-file for executables 
  // use application/x-zip-compressed for zip files 
  header("Content-Type: application/octet-stream"); 
  header("Content-Length: " . filesize($FileName)); 
  header("Content-Disposition: attachment; filename=\"$FileName\""); 
  header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 
  $fp = fopen($FileName,"rb"); 
  fpassthru($fp); 
  fclose($fp); 
}[/SIZE]

I'm calling the function right after my SQL query.

Looks like it was happening because I had the php code wrapped inside html tags