Hi Guys,

I have made a site where members can register log on etc with php and a MySQL backend.

I want to be able to provide download links for certain files depending on what the user has rights to download.

In theory the user could click on the link and download the file - simple enough.

But, how do I stop the user from providing the link to other people so they can then simply place the link in the browser and download the file that they don't have access to?

The files will be in the form of 'zip' files.

Thanks in advance :)

You can use the php function readfile() to output file contents into the http response stream.

You would use this on a url that the user can only access when logged in.

You should also use header() to set the correct mime type and tell the browser to prompt the user to download the file (instead of opening it in the browser)

header("Content-type: application/octet-stream"); 
header("Content-disposition: attachment; filename=test.zip");  

You can use the php function readfile() to output file contents into the http response stream.

You would use this on a url that the user can only access when logged in.

You should also use header() to set the correct mime type and tell the browser to prompt the user to download the file (instead of opening it in the browser)

header("Content-type: application/octet-stream"); 
header("Content-disposition: attachment; filename=test.zip");  

Thanks for the reply, Madhed

Ok, I think I see where you are coming from. I'll give your suggestions a try :)

Just as a side fact the solution that has been provided will avoid copy-paste of your link.

Users could anyway download files they have rights to see then pass them to other users.

So you can not stop users from getting access to these files.

If files are intended to be used in following activities it would be much better to protect the "usage" of these files.

If files are intended to be used in following activities it would be much better to protect the "usage" of these files.

That implies implementing some kind of DRM. First, implementing even halfway working DRM is far from simple. Second, when it works it usually annoys your honest users more than any illegitimate users.

Nowadays I flat out refuse to buy DRM-protected software and sites like GoG do quiet good business to cater to my needs (which implies I'm not exactly alone in my dislike of DRM since there are far more convenient places to buy games if you don't care about the DRM state).
It should also be noted that they don't have a widespread problem with pirating of their DRM-free games. For example when The Witcher 2 was published (simultaneously DRM-free on GoG; as well as other channels, including a DRM-protected hard copy) there was a pirated version of it available within hours. The pirated version available was the cracked hard copy though. The DRM-free download version did not make it into any kind of widespread circulation.

Just as a side fact the solution that has been provided will avoid copy-paste of your link.
Users could anyway download files they have rights to see then pass them to other users.
So you can not stop users from getting access to these files.

If files are intended to be used in following activities it would be much better to protect the "usage" of these files.

In this case, I was thinking of having the file serial numbered internally (the files are actually DLL's that I have spent a lot of time creating, but are very valuable to the target audience). If a particular serial crops up all over the net, I can send a 'please explain' to the licensee or introduce a kill switch (or both).

Internally I can do a check to make sure the serial numbers are valid. So, the end user would be none the wiser and won't be nagged by any DRM things.

Obviously, all of this is a side issue in itself. The big challenge was to try and stop a copy/paste of the download URL.

Thanks so far for all oft he awesome suggestions. :)