A download address the judgment of anti-theft Daniel into the look!

Two sites one master station one upload used sub-station

The download.php of the main station is the download page

The down.php of the sub-station is the download link

Must be downloaded by clicking on the link in download.php
In order to prevent users from directly accessing the sub-station/down.php?fileid=1 can download to the file made the following judgment

download.php Add a hash value
$hash = Strtoupper (MD5 (' Downloadkey '. Date (' YMDH '));

Down.php also adds a hash value
$hash 2 = strtoupper (MD5 (' Downloadkey '. Date (' YMDH ')));

down.php judgment

if ($hash <> $hash 2) {        header ("content-type:text/html; Charset=utf-8 ");        echo ' File ID: '. $file _id. '
';        Echo ' ['. $file _name. '] The file address has expired, please return to the download address to download again.

If this problem still occurs, contact your administrator

';        if ($pd _gid==1) {                echo '


';                echo ' File hash: '. $hash. '


';                echo ' File HASH2: '. $hash 2. '
';        }

There was a problem when the user visited the download page at 20:59:59 ', and then clicked the download

But after the click of Time is 21:00:01, so that the hash value is not the same, and then can not download, to return to re-download it to

How to fix it.

Reply to discussion (solution)

What a wooden man!

The above is the time to generate the hash value, there are other ways to prevent it

The resulting $hash should be passed through a cookie and have a not too long validity period, while being stored in the session
Do not regenerate when checking, only check for the cookie, and compare with the session

Same as check code

The resulting $hash should be passed through a cookie and have a not too long validity period, while being stored in the session
Do not regenerate when checking, only check for the cookie, and compare with the session

Same as check code

Find a way to do something simple

if (Strpos ($_server[' http_referer '), ' http://www.domain.com ') = = 0)
Determine whether the address is feasible by judging the location of the route.

The resulting $hash should be passed through a cookie and have a not too long validity period, while being stored in the session
Do not regenerate when checking, only check for the cookie, and compare with the session

Same as check code

Find a way to do something simple

if (Strpos ($_server[' http_referer '), ' http://www.domain.com ') = = 0)
Determine whether the address is feasible by judging the location of the route.
This can be forged.

Http_referer can be forged.

You can refer to the basic certification.

In turn, simulating a browser is also a subject. So this is a however persuasive outsmart problem. Anti-theft can only prevent the normal hotlinking, the use of the program to simulate browsing the Web page cannot be absolutely prevented.

So it is recommended to prevent the villain, using Referer anti-theft chain.

