I create a tutorial and phpnuke-downloads.com steals it..?

Sells PC To Pay For Divorce Joined: Posts: 5661

huh...

Hope you feel better next days raven....but you read it wrong i guess...
i DONT mean the few not important replied in THIS forum but on codezwiz..!
And i thought i was doing them a favor,but that was a poor judgement of mine...

ive had my time in this research as well...
it took me more then 2 hours going through the downloads to check who was hotlinked or not...

As for removing the other topic....thats all fine but as sting wrote in it i got the mail,i clicked on it and it wasnt there anymore...
Nicest thing he could have done was notifying me.....
Btw....if security was the reason for removing he could also edited the reply of maze.. Cool

yes Jaded....someone misunderstood me cause i DID wrote:....

I even thought of doing codezwiz a favor by posting this on his forum,as he now only sells stuff...not even a thank you....,only a few not important people replied...

Thought that was clear?...im not talking about here on this forum... Smile

Okay were on page 4 now.... killing me

registered · Theme Guru Joined: Nov 01, 2003 Posts: 1006

I have tried to use the code from gotcha for my downloads. However, it is causing some troube for me.

My website only uses [ Only registered users can see links on this board! Get registered or login! ] instead of jaded-designs.com. When I put in the code from gotcha, (thanks by the way), it breaks the images in downloads and wont allow download from [ Only registered users can see links on this board! Get registered or login! ] How exactly do I go about making this work on [ Only registered users can see links on this board! Get registered or login! ] instead of jaded-designs.com?? Thanks!

Posted: Sat Feb 18, 2006 9:15 am

after search in my own country i found some "solutions"...?

Keep in mind that text is translated into eng:

make a text file and put this in it..,put that in protected folder.

ErrorDocument 403 /stop.html

<Files ~ "\.(exe|EXE|mp3|RAR|rar|zip|MP3|mid|jpg|jpeg|bmp|g if|JPG)$">

SetEnvIfNoCase Referer "^http://www.yoursite.com" local_ref=1
SetEnvIfNoCase Referer "^yoursite.com/downloads" local_ref=1
SetEnvIfNoCase Referer "^yoursite.com" local_ref=1
SetEnvIfNoCase Referer "^http://yoursite.com" local_ref=1
Order Allow,Deny
Allow from env=local_ref
</Files>

Problem could rise is that some browsers dont give a referer,or someone that puts in the address directly whitch usely is the case with "wget" .,...

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Jaded wrote:

was this a mistype?

No mistype. What's the issue that needs resolution? The moved thread or the bandwidth leeching?

Posted: Sat Feb 18, 2006 10:14 am

well hell, i quoted the wrong part of that. my quote was supposed to be directed at hitwalkers statement about not important people. sorry about that. thats what going to a rock concert all night will do to my brain..lol. Again, it was supposed to be about the not important part. I personally could care less where that thread was moved as long as we come up with a solution to the leeching. HUGE OOPS!

Posted: Sat Feb 18, 2006 10:55 am

HW, the problem is with the mirror links. It's a direct link to the download and so it is a legitimate link just like from your own getit(). Gotcha's code worked inmy testing when everything was on the same server, but it's the 2 server setup that is causing me grief right now.

Posted: Sat Feb 18, 2006 11:24 am

well my concern was the hotlinking...
the mirror links in this matter is pure hotlinking and very much hated...ive read about 20 forums stories on that by now so theres no mistake about that.
the website owners i had contact with by now fully agreed on that part.
most of them were gratefull and a few big sites we all know didnt even replied...but thats fine by me..

i did found a nice $500 solution...
its a apache mod that prevents hotlinking...

Involved Joined: Oct 09, 2004 Posts: 293

Love to watch a comunity pool resourses.
Be it someone find something on behalf of other, or others coding and giving support in other areas.
These type of things should not be who gets thanks or credit for what and when, or who discovered.
but rather a personal pride in in being part of a team/community who when the chips are down, act. Each part is as important as the other, for without 1 nothing would happen.
So get back to sorting this guy out, notifing other sites, sorting code, spaming the host with email complaints. Individual credit issues is a red herring

Posted: Sat Feb 18, 2006 2:41 pm

ah but there isnt any problem....raven misinterpreted one of my previous posts..
he thought i was refering to this forum....but i wasnt...
gee...
move on...

Posted: Sat Feb 18, 2006 2:48 pm

Other solutions handed out to me are:

<Files "\.(zip¦rar)$">
SetEnvIf Referer "hotlinking_site_domain\.com" getout
Order allow,deny
Allow from all
Deny from getout
</Files>

Or alternately:

<Files "\.(zip¦rar)$">
SetEnvIf Referer "your_domain\.com" allowit
SetEnvIf Referer "^$"
Order deny,allow
Deny from all
Allow from allowit
</Files>

With additional info:

Understanding the Order directive is critical.
It sets the evalutation priority of the allow and deny directives -- In other words, whether allow overrides deny or vice-versa.

Posted: Sun Feb 19, 2006 6:04 am

ok i got a few more responses and the first is a actual solution that someone uses.
the second one is more like a comment on how to solve it with another way....

For the purposes of this example, the site "mysite.com," the file is "FILE.ZIP" in the "downloads" directory, and the info page is "info.html."
Anyway, here:

public_html/downloads/FILE.ZIP
public_html/downloads/info.html

Okay.
so we have one .htaccess in public_html w/ the usual anti-robot stuff, etc. and we have a SECOND .htaccess *in* /downloads/ :

public_html/.htaccess
public_html/downloads/.htaccess
public_html/downloads/FILE.ZIP
public_html/downloads/info.html

Now, in the /downloads/ .htaccess, we have the following:

RewriteEngine on
RewriteOptions inherit

RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mysite.com/.*$ [NC]
# next line is mysite.com's IP in case people use that
RewriteCond %{HTTP_REFERER}!^http://987\.65\.43\.21/.*$ [NC]
# finally, here's the rewrite
RewriteRule ^FILE\.ZIP$ [ Only registered users can see links on this board! Get registered or login! ] [R,L]

Bottom Line:

If someone tries to access FILE.ZIP and they're not on my server, they can't. They're redirected to "info.html."

thats it.....

additional info passed on....

This *is* a hot-linking problem.
The only difference is that most hotlinking problems have to do with image files, while this case has to do with zip ,rar ,...files.

Most of the solutions can be modified to work most of the time as long as the computer doing the downloading sends a referrer header with its requests.
Some don't.
Many don't.
The majority do, making this approach somewhat effective, because those who are blocked will complain to the hotlinking site's owner, and maybe he'll get tired of it and remove the link... Maybe.

Again, recommended is a cookies-and-script-based solution if you are serious about controlling downloads without relying on the inherently-unreliable HTTP_REFERER header.

Bottom line:
Lets say,if you are losing money because of this hotlinking, then hire someone to write you some code (JavaScript on the client side or PHP on the server-side) to set a cookie on the pages of your site allowed to link to these files for downloading, and to write a script that will deliver these files (stored in a protected directory) to users only if they provide a valid cookie with their request.

The cookie should be complex moderately-encrypted, and should change per-user per-IP amd per-session.
It should expire in accordance with the 'expires' header on the page that sets it .
Both the cookie and page should expire after three to five minutes to prevent problems with users mailing the cookies to each other if they are using the same network.

Fin

Posted: Sun Feb 19, 2006 7:33 am

hitwalker, these are excellent examples. Due to your REFERER comment above, I am of the opinion that the only way to truelly stop this 100% (for something like a user-initiated download - not for images), is to use some form of binary streaming. I mentioned that right up front, but wanted to see if something simpler would be presented. (As you have done AND I am very grateful for.)

With the streaming approach, they would have to go through a PHP script to receive the stream, and so then the standard if (!defined('IN_NUKE')) type "protection" can be used.

Thanks to everyone for their input on this!

Posted: Sun Feb 19, 2006 9:05 am

Binary streaming is exactly what Gotcha proposed Smile

. Hitwalker, excellent examples and they all will work concerning traditional hot linking. But is still wil not work in the case of the mirror links, because they are a direct lnk to the file on your server which then makes it on your server. So, is it really hot linking? That's the basic question. He is simply providing a direct link to the download which is intentionally bypassing my/your preferred way of handling downloads. There is no stealing of bandwidth either. It just takes control away from me/you. I think it's wrong but I don't think there's anything illegal at all. Unprofessional, unethical, yes. I'm still working on it Wink

Posted: Sun Feb 19, 2006 10:01 am

I have been reading this thread with interest as I started one some time regarding hot linking to images and downloading images.

Thank you to everyone who has participated so far with their idea's and research.

I now have a question which the more advanced PHP coder might be able to offer advice on which, in theroy at least might be a viable proposition to the current dilema.
If it were possible to dynamically change the download file name and then alter the url accordingly in the the nuke downloads table it would be possible to 'synch' the true name/location of the file to that held in the DB - as the download link would be changed periodically it would render any direct link except from the site itself useless.

Posted: Sun Feb 19, 2006 10:18 am

yes its hotlinking.
when i started with phpnuke a few years ago and came up with the idea of creating the database i had a lot of those hotlinked...that caused another war at that time,so i changed everything..
Reason for that is that i didnt knew any better.
But if its zip ,rar,or exe files instead of images,its plain hotlinking.

And as you often said to me (as i agreed on) i would appreciate it if i didnt host the raven distro,in whitch i dont but my download goes to your site....so that whoever wants it gets the newest all the time.

So imagine that someone hotlinks your distro of 7.5 mb ?
And if we take an average of 300 downloads then we would come to a totall of 2.2gb bandwidth stolen !
not to mention all the missed donation requests people never see...

Explained in wiki:

Inline linking, also known as hotlinking or leeching, is the placing of a linked object, often an image, from one site in a web page belonging to a second site. The second site is said to have an inline link to the one where the object is located. It is used for such activities as linking images from personal home page storage into the online diary of the person controlling the personal home page.

This has sometimes been controversial because it is possible that the site where the object is stored and from which it is retrieved will not like the new placement or will consider it to be bandwidth theft. This term refers to the unauthorized use of someone else's bandwidth. Inline linking to an image stored on another site increases the bandwidth use of that site, even though their site is not being viewed in its intended form. Since bandwidth is a commodity, unauthorized use can increase the maintenance costs of the website hosting the image, hence the term bandwidth theft.

Posted: Sun Feb 19, 2006 10:24 am

HW, I disagree, still, about the stealing of bandwidth example. If you link to my d/l area, then you are politlely allowing me to count the number of downloads and that's about it. 300 downloads is still 300 downloads. If someone impolitely directly links to the file, 300 downloads is still 300 downloads. I just haven't counted them in my totals.

Inline linking of an image is not the same thing. In that instance you are pulling the image from another site for use in your site.

Posted: Sun Feb 19, 2006 10:37 am

sure you can see this your way.. Smile

But the main idea is everywhere described as hotlinking.
another fact is also that people willingly used download addresses that should have stayed private.

Posted: Sun Feb 19, 2006 10:44 am

Don't for one minute misunderstand me. I am not condoning it nor am I taking it lightly. I will find a way to stop it; Even if I have to move them all to the same server. But I'm very much Dutch when it comes to being hard headed about figuring out a simpler resolution as opposed to a labor intensive change Wink

Regular Joined: Mar 14, 2005 Posts: 91

jaded wrote:

I have tried to use the code from gotcha for my downloads. However, it is causing some troube for me.

My website only uses [ Only registered users can see links on this board! Get registered or login! ] instead of jaded-designs.com. When I put in the code from gotcha, (thanks by the way), it breaks the images in downloads and wont allow download from [ Only registered users can see links on this board! Get registered or login! ] How exactly do I go about making this work on [ Only registered users can see links on this board! Get registered or login! ] instead of jaded-designs.com?? Thanks!

I'm not sure how any of that code would break the images.
Can you post your edited code so we can check it out.

Raven wrote:

Don't for one minute misunderstand me. I am not condoning it nor am I taking it lightly. I will find a way to stop it; Even if I have to move them all to the same server. But I'm very much Dutch when it comes to being hard headed about figuring out a simpler resolution as opposed to a labor intensive change

I've been trying to come up with a simple solution too, but all i can really think of is allowing only your website to read the files and output them to the user.
I'm sure moving all your downloads would be a huge pain in the ass..

Posted: Sun Feb 19, 2006 7:36 pm

Quote:

I'm sure moving all your downloads would be a huge pain in the ass.

Why is that?
A simple mass rename of download address in the database solves that in 10 seconds or so... Wink

Posted: Sun Feb 19, 2006 9:06 pm

gotcha wrote:

jaded wrote:

I have tried to use the code from gotcha for my downloads. However, it is causing some troube for me.

My website only uses [ Only registered users can see links on this board! Get registered or login! ] instead of jaded-designs.com. When I put in the code from gotcha, (thanks by the way), it breaks the images in downloads and wont allow download from [ Only registered users can see links on this board! Get registered or login! ] How exactly do I go about making this work on [ Only registered users can see links on this board! Get registered or login! ] instead of jaded-designs.com?? Thanks!

I'm not sure how any of that code would break the images.
Can you post your edited code so we can check it out.

I assume that this is because I have my domain set to only work off of the [ Only registered users can see links on this board! Get registered or login! ] and for some reason when I add the htaccess file and the code to the downloads index.php as you posted it is trying to make all the items associated with the downloads come from [ Only registered users can see links on this board! Get registered or login! ] and isnt allowing it to work off of [ Only registered users can see links on this board! Get registered or login! ]

here is the code from my downloads file when i make the changes you posted on the other page

Code:

function getit($lid) {


    global $prefix, $db;


    $lid = intval($lid);


    $db->sql_query("update ".$prefix."_downloads_downloads set hits=hits+1 WHERE lid='$lid'");


    $result = $db->sql_query("SELECT url FROM ".$prefix."_downloads_downloads WHERE lid='$lid'");


    list($url) = $db->sql_fetchrow($result);


    header ("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 


header ("Content-Type: application/octet-stream"); 


header ("Content-Length: " . filesize($file_path)); 


header ("Content-Disposition: attachment; filename=$file_name"); 


readfile($file_path);


}

Posted: Sun Feb 19, 2006 9:49 pm

Guardian2003,

Quote:

I now have a question which the more advanced PHP coder might be able to offer advice on which, in theroy at least might be a viable proposition to the current dilema.
If it were possible to dynamically change the download file name and then alter the url accordingly in the the nuke downloads table it would be possible to 'synch' the true name/location of the file to that held in the DB - as the download link would be changed periodically it would render any direct link except from the site itself useless.

Actually, I think that is an excellent idea. I have actually seen this used at my work. You copy the source file (that is unreachable) to a temporary file name and then serve that back up. Once it is downloaded, you delete the temporary file. However, this binary streaming approach from Gotcha is the ticket... I am working up a NSN GR Downloads version of it, because it handles things a little differently. I will post when I have it working.

Posted: Sun Feb 19, 2006 10:54 pm

jaded,

that code i posted was just a rough idea.

try this..
if you have files that use url's instead of file paths, you may run in to problems..

Code:







function getit($lid) {


    global $prefix, $db;


    $lid = intval($lid);


    $db->sql_query("update ".$prefix."_downloads_downloads set hits=hits+1 WHERE lid='$lid'");


    $result = $db->sql_query("SELECT url FROM ".$prefix."_downloads_downloads WHERE lid='$lid'");


    list($url) = $db->sql_fetchrow($result);


   


    header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");


   header ("Content-Type: application/octet-stream");


   // filesize() may cause problems if the file is not local


   header ("Content-Length: " . filesize($url)); 


   // get everything after the last / in $url for the filename


   header ("Content-Disposition: attachment; filename=" . substr(strrchr($url, "/"), 1) );


   readfile($url);


}

Posted: Sun Feb 19, 2006 11:03 pm

Ok, for NSN GR Downloads, open in public/go.php and find the following code:

Code:

           Header("Location: ".$lidinfo['url']);

And replace with this:

Code:

            if (stristr($lidinfo['url'], "http://") || stristr($lidinfo['url'], "ftp://")) { //dl hosted elsewhere


           Header("Location: ".$lidinfo['url']);


        } else {


               header ("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 


               header ("Content-Type: application/octet-stream"); 


               header ("Content-Length: " . filesize($lidinfo['url'])); 


               header ("Content-Disposition: attachment; filename=".basename($lidinfo['url']).""); 


               readfile($lidinfo['url']); 


            }

Then add an .htaccess file in the same directory where you store your downloads with the following statement:

Code:

deny from all

Now, two things to keep in mind with this approach:

1) At least with NSN GR Downloads, you cannot use the HTTP or FTP based URL. You must use the file based one. For example, one could use something like this:

public/downloads/my_download.zip

2) In addition, you will be unable to validate your downloads from the admin module!!! Please do NOT forget that... you have been warned.

This approach is simply that: an approach. It has allowed me to keep this "leaching" from occurring for the moment (Thanks Gotcha!), but it is not the best final solution. It would be better to have all the admin functions working properly as well as somehow allow the HTTP and FTP methods (but not sure they are possible).

Hope this helps folks that have NSN GR Downloads.

I recommend that once we have clear solutions for core nuke, EDL, and NSN GR Downloads, that we post a new sticky with just one post per download module.

Thanks everyone!!!

Posted: Sun Feb 19, 2006 11:10 pm

gotcha wrote:

jaded,

that code i posted was just a rough idea.

try this..
if you have files that use url's instead of file paths, you may run in to problems..

Code:







function getit($lid) {


    global $prefix, $db;


    $lid = intval($lid);


    $db->sql_query("update ".$prefix."_downloads_downloads set hits=hits+1 WHERE lid='$lid'");


    $result = $db->sql_query("SELECT url FROM ".$prefix."_downloads_downloads WHERE lid='$lid'");


    list($url) = $db->sql_fetchrow($result);


   


    header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");


   header ("Content-Type: application/octet-stream");


   // filesize() may cause problems if the file is not local


   header ("Content-Length: " . filesize($url)); 


   // get everything after the last / in $url for the filename


   header ("Content-Disposition: attachment; filename=" . substr(strrchr($url, "/"), 1) );


   readfile($url);


}

unfortunatly this gives me the same problem. the images are broken and i cannot download any file from [ Only registered users can see links on this board! Get registered or login! ] only jaded-designs.com. I am using url instead of file path for all of my downloads. Confused