Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Downloads are now secured using md5 hashing logic instead of using my…
…sql database to keep track of random keys. Download links are valid for two days only. The default interval WordPress uses for theme updates is 12 hours.
  • Loading branch information
jeremyclark13 committed Aug 29, 2012
1 parent 6345736 commit c48e5d1
Show file tree
Hide file tree
Showing 8 changed files with 185 additions and 291 deletions.
89 changes: 24 additions & 65 deletions api/download.php
@@ -1,73 +1,32 @@
<?php
/*
*
* One Time Download
* Jacob Wyke
* jacob@frozensheep.com
*
*/
require_once('packages.php');
// This is the folder where all update files are stored
$update_folder = './update/';

//The directory where the download files are kept - random folder names are best
$strDownloadFolder = "./update/";
if ( isset( $_GET['key'] ) ) {
// loop over all the theme and plugin arrays
foreach ( $packages as $package ) {
// loop over all the versions for each theme and plugin
foreach ( $package['versions'] as $version ) {
// md5 timestamp of current and previous day and the file name
$tod_md5 = md5( $version['file_name'] . mktime( 0, 0, 0, date( "m" ), date( "d" ), date( "Y" ) ) );
$yes_md5 = md5( $version['file_name'] . mktime( 0, 0, 0, date( "m" ), date( "d" ) - 1, date( "Y" ) ) );
// test if the either of the md5 hashes match what was passed
if ( $_GET['key'] == $tod_md5 || $_GET['key'] == $yes_md5 ) {
$download = $update_folder . $version['file_name'];
if ( file_exists( $download ) ) {
//get the file content
$file = file_get_contents( $download );

//If you can download a file more than once
$boolAllowMultipleDownload = 0;
//set the headers to force a download
header( "Content-type: application/force-download" );
header( "Content-Disposition: attachment; filename=\"" . str_replace( " ", "_", $version['file_name'] ) . "\"" );

//connect to the DB

/***********************
DATABASE INFO
************************/

$resDB = mysql_connect("DB_SERVER", "DB_USER", "DB_PASSWORD");
mysql_select_db("DB_NAME", $resDB);

if(!empty($_GET['key'])){
//check the DB for the key
$resCheck = mysql_query("SELECT * FROM downloads WHERE downloadkey = '".mysql_real_escape_string($_GET['key'])."' LIMIT 1");
$arrCheck = mysql_fetch_assoc($resCheck);
if(!empty($arrCheck['file'])){
//check that the download time hasnt expired
if($arrCheck['expires']>=time()){
if(!$arrCheck['downloads'] OR $boolAllowMultipleDownload){
//everything is hunky dory - check the file exists and then let the user download it
$strDownload = $strDownloadFolder.$arrCheck['file'];

if(file_exists($strDownload)){

//get the file content
$strFile = file_get_contents($strDownload);

//set the headers to force a download
header("Content-type: application/force-download");
header("Content-Disposition: attachment; filename=\"".str_replace(" ", "_", $arrCheck['file'])."\"");

//echo the file to the user
echo $strFile;

//update the DB to say this file has been downloaded
mysql_query("UPDATE downloads SET downloads = downloads + 1 WHERE downloadkey = '".mysql_real_escape_string($_GET['key'])."' LIMIT 1");

exit;

}else{
echo "We couldn't find the file to download.";
//echo the file to the user
echo $file;
}
}
}
}else{
//this file has already been downloaded and multiple downloads are not allowed
echo "This file has already been downloaded.";
}
}else{
//this download has passed its expiry date
echo "This download has expired.";
}
}else{
//the download key given didnt match anything in the DB
echo "No file was found to download.";
}
}else{
//No download key wa provided to this script
echo "No download key was provided. Please return to the previous page and try again.";
}

?>

0 comments on commit c48e5d1

Please sign in to comment.