The use of ASP anti-theft chain technology

When we manage Web site files, we can put the same file name extension under the same directory, a more special names, such as the PDF file directory for the_pdf_file_s, save the following code as down.asp, his online path is http://www.xx.com/down.asp

When we manage Web site files, we can put the same file name extension under the same directory, a more special names, such as the PDF file directory for the_pdf_file_s, save the following code as down.asp, his online path is http:// Www.xx.com/down.asp, can we use http://www.xx.com/down.asp? Filename=51windows.pdf to download this file, and the download can not see the actual download path of this file! In down.asp we can also set whether the download file need to log in, to determine whether the source page of the download is an external site, so you can prevent files from being hotlinking.
<%
From_url = Cstr (Request.ServerVariables ("Http_referer"))
Serv_url = Cstr (Request.ServerVariables ("SERVER_NAME"))
If Mid (From_url,8,len (serv_url)) <> Serv_url Then
Response.Write "Illegal link! "' Prevent hotlinking
Response.End
End If

If Request.Cookies ("logined") = "" Then
Response.Redirect "/login.asp" needs landing!
End If
Function GetFileName (longname) '/folder1/folder2/file.asp=>file.asp
While InStr (LongName, "/")
LongName = Right (Longname,len (longname)-1)
Wend
GetFileName = longname
End Function
Dim Stream
Dim Contents
Dim FileName
Dim Truefilename
Dim Fileext
Const adTypeBinary = 1
filename = request.querystring ("filename")
If FileName = "" Then
Response.Write "Invalid filename! "
Response.End
End If
Fileext = Mid (filename, InStrRev (filename, ".") + 1)
Select case UCase (Fileext)
Case "ASP", "ASA", "ASPX", "ASAX", "MDB"
Response.Write "Illegal Operation! "
Response.End
End Select
Response.Clear
If LCase (filename,3) = "gif" or LCase (right (filename,3) = "jpg" or
LCase (Right (filename,3) = "png" Then
Response.ContentType = "image/*"
' Do not appear on the image File Download dialog box
Else
Response.ContentType = "Application/ms-download"
End If
Response.AddHeader "Content-disposition", "attachment"; Filename= "&
GetFileName (R equest. QueryString ("FileName"))
Set Stream = server. CreateObject ("ADODB.") Stream ")
Stream.type = adTypeBinary
Stream.open
If LCase (right (filename,3) = "PDF" then "set PDF type file directory
Truefilename = "/the_pdf_file_s/" &filename
End If
If LCase (right (filename,3) = "Doc" then "Set Doc type file directory
Truefilename = "/my_d_o_c_file/" &filename
End If
If LCase (filename,3) = "gif" or LCase (right (filename,3) = "jpg" or
LCase (Right (filename,3) = "png" Then
Truefilename = "/all_images_/" &filename set image file directory
End If
Stream.loadfromfile Server.MapPath (Truefilename)
While not Stream.eos
Response.BinaryWrite Stream.read (1024 * 64)
Wend
Stream.Close
Set Stream = Nothing
Response.Flush
Response.End
%>

Use ADODB.stream to download any suffix files directly (anti-theft chain)

In the browser's address bar directly enter a doc or xls or JPG file URL path, then the file will be directly displayed in the browser. And in a lot of times we want to be able to pop the download prompt box to let users download, what should we do? Here are two ways:

1, set up your server IIS, to the doc and other suffix name do mapping
2. Set its contenttype when sending to client

Method 2 is described in detail below
<%
Response.Buffer = True
Response.Clear

Dim url
Dim fso,fl,flsize
Dim dname
Dim OBJSTREAM,CONTENTTYPE,FLNAME,ISRE,URL1
' Download filename passed in when ********************************************* call

Dname=trim (Request ("n"))
'*****************************­******************************­*******
If dname<> "" Then
' ****************************** download files stored in the server directory
Url=server. MapPath ("/") & "\" &dname
'*****************************­**********************
End If

Set fso=server.createobject ("Scripting.FileSystemObject")
Set fl=fso.getfile (URL)
Flsize=fl.size
Flname=fl.name
Set fl=nothing
Set fso=nothing
%>
<%
Set objstream = Server.CreateObject ("ADODB. Stream ")
objStream.Open
objStream.Type = 1
objStream.LoadFromFile URL

Select Case LCase (Right (Flname, 4))
Case ". asf"
ContentType = "VIDEO/X-MS-ASF"
Case ". avi"
ContentType = "Video/avi"
Case ". Doc"
ContentType = "Application/msword"
Case ". zip"
ContentType = "Application/zip"
Case ". xls"
ContentType = "Application/vnd.ms-excel"
Case ". gif"
ContentType = "Image/gif"
Case ". jpg", "JPEG"
ContentType = "Image/jpeg"
Case ". wav"
ContentType = "Audio/wav"
Case ". mp3"
ContentType = "Audio/mpeg3"
Case ". mpg", "MPEG"
ContentType = "Video/mpeg"
Case ". rtf"
ContentType = "Application/rtf"
Case ". htm", "html"
ContentType = "Text/html"
Case ". txt"
ContentType = "Text/plain"
Case Else
ContentType = "Application/octet-stream"
End Select

Response.AddHeader "Content-disposition", "attachment"; Filename= "&
Flname
Response.AddHeader "Content-length", flsize

Response.Charset = "UTF-8"
Response.ContentType = ContentType

Response.BinaryWrite Objstream.read
Response.Flush
Response. Clear ()
objStream.Close
Set objstream = Nothing

%>

Save the next thing as a download.asp and you can use <a
herf= "Http://xxx.xxx.com/download.asp?n=file.doc" >download!</a> to download the same directory under the File.doc!

But the problem here is that it is not safe to write the File.doc path directly in the URL, so the solution is to save the File.doc path to the database and get the path after the lookup database.


At the very front of the program, if you add a judgment:

If
InStr (Request.ServerVariables ("Http_referer"), "http://your domain name") =0
Then
Response.End
End If