Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Beast of a download handler
  • Thought I'd share this with y'all, I just wrote this today and it works really well.

    Disclaimer: All of my PHP skills (can you call them skills?) are completely self-taught, so this code may look horrible to experts.

    What this code is for, and what it does:
    I wrote this today to handle the downloading of files from a site/service I'm working on. The service allows people to upload their Android development work for others to download and enjoy. Meaning ROMs, Recoveries (like ClockworkMod), Kernels, etc.

    The code does the following things:
    1. Hashes the user's IP address (the hash is stored in the db and is used later on for dedupe)
    2. Checks to make sure we got a valid 'dluid' marker (used to prevent direct linking, explanation below)
    3. Checks to make sure the string '../' is not in the requested file path (used to prevent downloading of files that you aren't supposed to see ;) )
    4. Checks to make sure the file requested (if it's a legitimate request) actually exists
    5. Does some extremely lazy referrer string checks to further hinder direct linking of files
    6. Implements proper download counts (explanation below)
    7. And of course, finally hands over the requested data.

    What is the dluid marker?
    The 'dluid' marker is generated every time a page gets loaded in which said page displays files that are available for download. This is generated simply by Str::random('uuid') but really can be generated using any random string generation method.

    The marker is then stored in a session, and is also appended to the URI of the download link and is also added to a session identifier ('dluid').
    Example: http://domain.com/dl/devs/?dl=path/to/requested.file&dluid=28781705-fa56-4e07-917b-26d3cf2c73b4

    The code in the download handler checks to make sure the dluid stored in the session identifier matches the dluid passed in the URI. If they match, then we continue with the other checks. If they don't, then we throw a 404 error.

    Proper download counts:
    Implementing proper download counts has been a challenge of mine for a while, and a little clever sorcery got this working. This particular bit of code is heavily commented for easy comprehension.

    GitHub gist here: https://gist.github.com/anonymous/11360646

    This code cannot be used as-is, but feel free to steal as much from it as you want if it helps you at all.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!