0

Hi everyone. I am trying to build a script where a user of my website can download files. I have a problem. My site has two different user types, Free and Premium at the moment the only protection I have on the script is to check whether the user is logged in. I am trying to add some protection to the premium files so that the user cannot download it if they do not have a premium account. To download a file the user has to click on a link (download.php?id=1234ABCD). I am a bit worried that if someone shares a link to a premium file someone will be able to download it if they are not a premium member. Here is my download code.

<?php
require 'connect.php';
require 'include/functions.php';
if(isset($_COOKIE['username']))
{

$user_sql = mysql_query("SELECT * FROM users WHERE username='" . $_COOKIE['username'] . "'");
$user_fetch = mysql_fetch_assoc($user_sql);

$sql = mysql_query("SELECT * FROM files WHERE link='" . $_GET['uid'] . "'");
$row = mysql_fetch_assoc($sql);
$path = '627f7603682bd4e725252c47bf9fecb41b602277a4d5/' . $_GET['uid'] . '.zip'; 
$filename = $row['file'];

$type = $row['type'];

if($type==0)
{	
	$type = "Free";
}
else
	$type = "Premium";

if($user_fetch['premium']==0)
{
	$speed = 325;
}
else
	$speed = 650;
	

if(file_exists($path) && is_file($path)) {
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-type: application/octet-stream"); 
header("Content-disposition: attachment; filename=" . $filename . " (" . $type . ").zip"); 
header("Content-Length: " .(string)(filesize($path)) );
header("Content-Transfer-Encoding: binary\n");


flush(); 

   $fd = fopen($path, "r"); 
   while(!feof($fd)) { 
         echo fread($fd, round($speed*1024)); 
       flush(); 
       sleep(1); 
   } 
   fclose ($fd);
}

$id = rand(000000,999999);
$id = md5($id);
$id = substr($id, 0, 12);

$timedate =  date('l jS F Y - h:i');


mysql_query("INSERT INTO user_downloads VALUES('" . $id . "','" . $_COOKIE['username'] . "','" . $filename . "','" . $row['type'] . "','" . $timedate . "','" . date('dmy') . "','" . date('m') . "','" . date('Y') . "','" . getRealIpAddr() . "')");
}
else 
header("location: index.php?ref=dlnoexist");

header("location: index.php?ref=nologin");
?>

I have tried adding

if($type==1&&$fetch['premium']==1)
{ 
//download 
}
else
if($type==1&&$fetch['premium']==0)
{ 
header('location: index.php?ref=notpremium');
}
?>

But it wont work and I don't know what to do if the user tries to download a free file. Please could I have some help and I am sorry I have not provided enough information.

Thanks in advance.

2
Contributors
1
Reply
2
Views
6 Years
Discussion Span
Last Post by chrishea
0

You should be keeping the login status in a session variable and then check that where needed to allow (or prevent) the user to take specific actions. As you have already realized, you can't count on parameters attached to the URL to control this for very long.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.