Two sites one master station one upload used sub-station
The download.php of the main station is the download page
The down.php of the sub-station is the download link
Must be downloaded by clicking on the link in download.php
In order to prevent users from directly accessing the sub-station/down.php?fileid=1 can download to the file made the following judgment
download.php Add a hash value
$hash = Strtoupper (MD5 (' Downloadkey '. Date (' YMDH '));
Down.php also adds a hash value
$hash 2 = strtoupper (MD5 (' Downloadkey '. Date (' YMDH ')));
down.php judgment
if ($hash <> $hash 2) { header ("content-type:text/html; Charset=utf-8 "); echo ' File ID: '. $file _id. '
'; Echo ' ['. $file _name. '] The file address has expired, please return to the download address to download again.
If this problem still occurs, contact your administrator
'; if ($pd _gid==1) { echo '
'; echo ' File hash: '. $hash. '
'; echo ' File HASH2: '. $hash 2. '
'; }
There was a problem when the user visited the download page at 20:59:59 ', and then clicked the download
But after the click of Time is 21:00:01, so that the hash value is not the same, and then can not download, to return to re-download it to
How to fix it.
Reply to discussion (solution)
What a wooden man!
The above is the time to generate the hash value, there are other ways to prevent it
The resulting $hash should be passed through a cookie and have a not too long validity period, while being stored in the session
Do not regenerate when checking, only check for the cookie, and compare with the session
Same as check code
The resulting $hash should be passed through a cookie and have a not too long validity period, while being stored in the session
Do not regenerate when checking, only check for the cookie, and compare with the session
Same as check code
Find a way to do something simple
if (Strpos ($_server[' http_referer '), ' http://www.domain.com ') = = 0)
Determine whether the address is feasible by judging the location of the route.
The resulting $hash should be passed through a cookie and have a not too long validity period, while being stored in the session
Do not regenerate when checking, only check for the cookie, and compare with the session
Same as check code
Find a way to do something simple
if (Strpos ($_server[' http_referer '), ' http://www.domain.com ') = = 0)
Determine whether the address is feasible by judging the location of the route.
This can be forged.
Http_referer can be forged.
You can refer to the basic certification.
In turn, simulating a browser is also a subject. So this is a however persuasive outsmart problem. Anti-theft can only prevent the normal hotlinking, the use of the program to simulate browsing the Web page cannot be absolutely prevented.
So it is recommended to prevent the villain, using Referer anti-theft chain.