0

I have a program that users can download from my site via a button which posts to a php page. The php logs the download request into my DB then serves up the actual program for them to download. However, I've noticed from time to time that certain IPs will download the program every half hour...sometimes hundreds of times over many days. Not sure what it is, assuming it's a bot, and the IPs are always in countries like Romania or Hungary.

Initially I was blocking IPs in my .htaccess, but I don't want to keep doing that every time. So I've added code to my php which only allows users to download the program a specific # of times each day. That works fine, however, it's easy enough for someone to just get the direct url to my program and download it that way bypassing the php logic.

1) Is there are way to prevent this? Can the .htaccess be modified to prevent direct downloads of the file but allow my php to serve it up?

2) Should I even be worried about this at all? I'm using a shared server so I'm really just concerned about the bandwidth impacts.

Chase Rocker
  • 1,908
  • 2
  • 13
  • 14
  • i don't know if you can prevent direct downloads in .htaccess file, but you can move the file outside the publicly accessible directory and have php script serve it from there (after checking the IP and applying the limit) – flynorc Jan 31 '17 at 01:07
  • IP != user. you need a proper user management system here –  Jan 31 '17 at 01:24
  • You could save the IP to your database. when the page loads make it check the database, and if the ip is found then use a if else statement to prevent the download link from showing up? and use a dynamic link saved in the database to prevent repeated access to the same link. – Zaper127 Jan 31 '17 at 01:38
  • 1) you shouldn't and 2) you shouldn't. think about NAT: multiple valid users sharing the same public IP. then think about carrier grade NAT: *thousands* of valid users sharing the same public IP. now think about potential attackers of any kind: single evil minds with knowledge and technology to use thousands of different IP addresses. – Franz Gleichmann Jan 31 '17 at 06:30

1 Answers1

1

If what you want is not allowing users to bypass the PHP logic, you can render and output the file with PHP script.

<?php
$file = some file from query;

if (some logic matches)
    die('Download forbidden');

if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="'.basename($file).'"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    readfile($file);
    exit;
}
?>

See: http://php.net/manual/en/function.readfile.php

Suppose your file is stored in /files/, put the script in somewhere like /down.php, and add the following code in .htaccess in /files/.

Deny from all

More on this, you can see: Deny access to one specific folder in .htaccess

Besides, if you really care about the bandwidth, you can enhance your download prohibit logic, like create user system, or put the user IP into the database to manage/restrict the total download bandwidth of each user.

Community
  • 1
  • 1
Haotian Liu
  • 886
  • 5
  • 19