How to Track and Secure Downloads

Post Reply
Tony
Lieutenant
Lieutenant
Posts: 86
Joined: Tue Jul 21, 2009 4:11 pm

How to Track and Secure Downloads

Post by Tony » Sun Nov 29, 2009 12:26 am

If you want to track or secure downloads from your website, try this script. This script will send you an email, write to a log file, or both, every time you have a download. Now you can track what file was downloaded and who did the download.

Instructions are included in the comments at the top of the script. Note the variable $directory is the directory where the download files are located. If you want the script in the same directory as the files then use "./" as the directory (you must always have the slash).

In your html page, use the following structure as your download link (where name.txt is the file name to download):

Code: Select all

<a href="download.php?file=name.txt">download</a> 
Then you use the following script (called download.php).

You can download this script as a .txt file. Remember to rename the file as a .php file.

Code: Select all

<?php
/*
This script can send an email and/or make an entry in a log file
There are two variables below - one for an email address and one for a log file
Set both vraiables to the values you want to use
If you do not want either an email or log entry, comment out the respective line
For example, if you do not want an email sent, put a // in front of the $emailAddress line - same for the $logFile line
*/
$emailAddress = "[email protected]";
$logFile = "download.log";
$directory = "downloads/";    // the relative directory that has the downloads - can be ./ for the current directory
putenv('TZ=EST5EDT'); // eastern time
// change nothing below this line
$filename = $_GET['file'];
$path = "$directory$filename";
if(file_exists($path) AND substr_count($filename,"/") == "0") {
  header("Content-type: application/octet-stream"); 
  header("Content-Disposition: attachment; filename=$filename"); 
  header("Content-Length: ".filesize($path));
  readfile("$path");
  if (isset($emailAddress)) {
    $message = "File name: ".$filename."\n\n";
    $message .= "Time of the download: ".date(" F d h:ia")."\n\n";
    $message .= "Browser: ".$_SERVER['HTTP_USER_AGENT']."\n\n";
    $message .= "Page Requested: ".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."\n\n";
    $message .= "Referer: ".$_SERVER['HTTP_REFERER']."\n\n";
    $message .= "IP Address: ".$_SERVER['REMOTE_ADDR']."\n\n";
    $message .= "Hostname: ".gethostbyaddr($_SERVER['REMOTE_ADDR'])."\n\n";
    mail($emailAddress,"Download notification",$message,"From: Website <>");
  }
  if (isset($logFile)) {
    $downloadLogRecord = $filename."||".$_SERVER['REMOTE_ADDR']."||".gethostbyaddr($_SERVER['REMOTE_ADDR'])."||".date('Y-m-d H:i:s')."\r\n";
    @file_put_contents($logFile,$downloadLogRecord,FILE_APPEND|LOCK_EX);
  }
}
?> 
You can then make the download files inaccessible from direct links if you put the following lines in a .htaccess file in the directory with the files:

RewriteEngine On
RewriteRule \.(txt|zip)$ /error.gif [L]

This example will redirect any attempt to directly access any .txt or .zip file in that directory to the error image specified.
Then if you want to stop direct linking to the script as well (this will pretty much secure the download from any hot-linking), add these two lines at the top of the script:

Code: Select all

session_start();
if ($_SESSION['allowed'] != "yes") die('Inavlid download attempt');  
And on the main page of your website you must set the session variable as follows:

Code: Select all

session_start();
$_SESSION['allowed'] = yes;  
Then anyone who has not been to your site during the current browser session will not be allowed to access the script either.
Top
Post Reply

Return to “PHP & MySQL”