Support/Comments for FileDownloadPE

This is an auto-generated support/comment thread for FileDownloadPE.

Use this forum to post any comments about this addition or any questions you have regarding its use.

Brief Description:
A secure file download snippet for MODx with download counting and access control.

For installation, usage, parameters, and examples see:
http://scottydelicious.com/blog/2008/06/15/filedownloadpe

Wow great news, an improved version of FileDownload, secured at that... glad I run PHP5 to test this one out

Thanks !

This looks very elegant - I love the clean class structure - but I have a few questions. Wouldn’t it be better to use the document pagetitle as the filename? Having to repeat this in both the pagetitle, alias and FileName tv introduces redundancy, in my view. Also could the mimetype be determined automatically (ok I know this can be tricky)? Or alternatively you could use your snippet in the file template to redirect to the actual file thus obviating the need to send the Content-Type header.

Finally, I had been planning to rewrite FileDetails to provide the option of secure file storage in the database itself (the only way to get true security I reckon, since /assets/files/[filename] is going to be guessable) - but since you already have that extra table, would you consider doing this?

Cheers

Mark

Quote from: therebechips at Jun 17, 2008, 09:14 AM

This looks very elegant - I love the clean class structure - but I have a few questions. Wouldn’t it be better to use the document pagetitle as the filename?

Brilliant! I love it. I will work on your other suggestions too, but this particular one seems so devastatingly obvious that I can’t believe I didn’t think of it.

<?php

$i = 0;

while( $i <= 1000 )

{

    echo ’Thank You’;

    $i++;

}



// A thousand thank yous.

?>

Quote from: therebechips at Jun 17, 2008, 09:14 AM

Finally, I had been planning to rewrite FileDetails to provide the option of secure file storage in the database itself (the only way to get true security I reckon, since /assets/files/[filename] is going to be guessable) - but since you already have that extra table, would you consider doing this?

Cheers

Mark

That’s a good Idea. I suppose it could be stored as a BLOB.

-sD-
Dr. Scotty Delicious, DFPA.

You’re very welcome!

For file upload/download BLOB can actually be problematic, but I worked out a way to do this reliably (on typical shared hosting) for large files a while ago, and explained it here (see therebechips):
http://uk.php.net/features.file-upload

Basically you split the file into chunks and encode them with base 64 (slight increase in file size but you get much better reliability from your db).

Mark

UPDATED TO 1.1

FileName TV no longer required. Uses document’s "alias" instead.
If FURLs are not enabled, this snippet will grab the alias from the "site_content" table using $_REQUEST[’id’]

Parameter &filename replaced with &id. For getting the number of downloads, simply specify document’s id in this parameter.
For example: [!FileDownloadPE? &action=`count` &id=`36`!]

Auto-detecting mime type just won’t work yet without a depreciated function "mime_content_type()" which is not installed on either of my servers, or the PECL "finfo" extension. Neither are reliably available on servers. I am looking forward to PHP 6.

Quote from: therebechips at Jun 17, 2008, 09:14 AM

Finally, I had been planning to rewrite FileDetails to provide the option of secure file storage in the database itself (the only way to get true security I reckon, since /assets/files/[filename] is going to be guessable) - but since you already have that extra table, would you consider doing this?

I don’t have anything against storage in the database, but I totally disagree that the file path is going to be guessable.
First of all, there is no reason to set the alias to the name of the file. Secondly, If you use the MODx resource browser, you are slightly limited to /assets/files/, but you can use any number or name of sub folders. Upload your file to "/assets/downloads/current/projects/2008/" through the MODx resources browser and it is cleanly organized AND They can guess all day. If you want, obscure the folders a bit. Third, You are not limited to using the MODx Resource browser. Instead, FTP your files to "/home/your-username/public_html/private_files/" and put "private_files/myfile.zip" in the File TV.

-sD-
Dr. Scotty Delicious, DFPA.

Hi Scotty,

looks good!

Fair point about the clean filepath - but at the end of the day security by obscurity is going to be a problem, if, say, you’re doing stuff like selling software downloads. And most the the CMS admins I know could not be trusted to obscure the filename.

But in any case, this is an extremely well coded snippet and I will certainly be making use of it. Good work mate!

Well, I like the challenge. It appeals to the pirate in me, so I am going to give db file storage a go.

-sD-
Dr. Scotty Delicious, DFPA.

Scotty, long time no see.

I have installed and have your snippet working... It’s super duper!

I have one problem... I run a gaming site and would like to have the latest patches of games available to my members and so this means large zip files. My host limits zip file sizes to 100mb if uploading to your webspace which I think is bs and I’ve just messaged them to say I think it’s crazy since I’m paying for the service. Anyway, I don’t suppose there’s a way to allow external links yet have the counter still work?

BTW I like your new site, looks excellent. You nearly have as many tattoos as me

Ross

Quote from: rossco at Jun 19, 2008, 03:10 PM

Anyway, I don’t suppose there’s a way to allow external links yet have the counter still work?

Not with the way the code is currently written. Right now, it expects a path, but I suppose I could add a preg_match in there to check if the "File" TV contents starts with "http://". If it does, then use some logic to fopen and fread a remote file.

-sD-
Dr. Scotty Delicious, DFPA.