tags:

views:

52

answers:

3
+4  Q: 

Serving Large Protected Files in PHP/Apache

I need to serve up large files (> 2gb) from an Apache web server. The files are protected downloads, so I need some kind of way to authorize the user. The CMS I'm using uses cookies checked against a MySQL database to verify the user. On the server, I have no control over max_execution_time, and limited control over memory_limit.

My technique has been working for small files. After the user has been authorized in PHP (by the CMS), I use readfile() to serve the file, which is stored above the document root to prevent direct access. I've read about techniques to chunk the download or to use fpassthru to get around the PHP memory limit. But I haven't found a technique to get around the max_execution_time limit.

I thought about storing the file within the document root, so we could bypass PHP entirely. But what I can't figure out is how to restrict access with htaccess. I need to verify the user against the database before I can serve them the file.

Thanks.

A: 

Take a look at set_time_limit() http://www.php.net/manual/en/function.set-time-limit.php

and max_execution_time http://www.php.net/manual/en/info.configuration.php#ini.max-execution-time

Lizard  2010-07-06 15:18:18
A: 

What about using symlinks? If you have a folder example:

userfacingfiles/
  md5_of_order_id1 --> protected-file.exe
  md5_of_order_id2 --> protected-file.exe

protectedfiles/
  .htaccess (contains deny from all)
  protected-file.exe

Basic Example:

$salt = 'canttouchthis';

function create_symlink($order_id, $salt, $protected_file) 
{
  $info = pathinfo('protectedfiles/'.$protected_file);

  symlink('protectedfiles/'.$protected_file, 'userfacingfiles/'.md5($order_id.$salt).'.'.$info['extension']);
}


function get_file($order_id, $salt, $extension)
{

  header('Location: userfacingfiles/'.md5($order_id.$salt).'.'.$extension);
  exit();
}

usage:

When the user pays:

create_symlink(1, 'secureSALT', 'ebook.pdf');

When the user wants to download their ebook

get_file(1, 'secureSALT');

This may not be the most portable method, but because you're redirecting the user the web server is handling the downloads.

Kieran Allen  2010-07-12 21:46:07
that was just painful to read
Joe Hopfgartner  2010-08-28 16:11:33
+1  A: 

The nicest solution in my opinion: install mod_xsendfile in your Apache, have the PHP script authorize the user, and on success send a response with an X-Sendfile header pointing to the location of the protected file. From that point on, Apache does the work of serving the file to the client; not PHP.

hobbs  2010-07-12 21:49:58
+1 for `mod_xsendfile`. Don't do this work in PHP. Apache (or any production quality web server, for that matter) is optimized to serve files. Let it do its job and get your script interpreter out of the way. Lighttpd supports the same header and Nginx does the same thing, but with `X-Accel-Redirect`.
Steve Madsen  2010-07-12 21:56:43
mod_xsendfile is the **better** solution. However, if this isn't available to you (shared hosting/static build) then i recommend using Symlinks or Hardlinks (as mentioned below) as with that you can still pass the serving of the download to the web server.
Kieran Allen  2010-07-12 21:59:37
Links are security through obscurity. Nothing stops an end user from sharing those links. That's fine in some cases, but let's be honest about the trade-offs.
Steve Madsen  2010-07-12 22:02:25
good point - didn't think about that. +1
Kieran Allen  2010-07-12 22:10:36

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases