Latest News: (loading..)
AlexStudio

[contribution] Super Download Store

1,039 posts in this topic

Downloads Controller Order Status Value

Downloads Controller Order Status Value - Default=10

 

My set is 14

 

What should I add when my setting in orders_status_id is

 

11 Download Now Available

12 Updated

10 :rolleyes:

Share this post


Link to post
Share on other sites
10 :rolleyes:

 

duh.. It's work!

 

Thank you so much.. :thumbsup: :thumbsup: :thumbsup:

Share this post


Link to post
Share on other sites

By the way, I tried to install SEO again and still had the same problem with the downloads showing up but like I said before it doesnt really matter because the affiliate system didnt work either.

 

Anyways I tried to install SEO 2.0 and that version worked fine (for everything).

Share this post


Link to post
Share on other sites

hi again,

 

1) i am trying to understand the logic behind the "redirect" way of downloading the deliverable. i think i'm missing something, because the URL is plainly visible, couldn't the user just copy the redirected url and send it to whomever they wanted and the file could be downloaded? it does not seem very secure.

 

2) i am thinking to try the non-redirect way, but loop over a decent-sized buffer. isn't this much better?

 

i am curious for your input, because it seems everyone uses "redirect" method.

 

thanks,

 

todd

Share this post


Link to post
Share on other sites
1) i am trying to understand the logic behind the "redirect" way of downloading the deliverable. i think i'm missing something, because the URL is plainly visible, couldn't the user just copy the redirected url and send it to whomever they wanted and the file could be downloaded? it does not seem very secure.

The download link requires the user to login before running the link, and also checks the order id, max download days, max download counts....etc, no matter by redirect or not. If your customer wants to share his account info and the file purchased, there is no way to stop him, but the download expiry and counts can help to limit the risk. It's the way osCommerce was developed, and I don't see any other 'easy' way to improve it.

 

When working with file groups, the file descriptions are shown with the links, not the filenames. For security reason, don't use filename for the file description.

 

2) i am thinking to try the non-redirect way, but loop over a decent-sized buffer. isn't this much better?

i am curious for your input, because it seems everyone uses "redirect" method.

Download by redirect is a much safer way. It creates a random temporary subfolder and establishes a symlink via that subfolder. Users have no chance to find out where you store the download file exactly.

 

To loop over a decent-sized buffer is only possible when you have the control of your server. It sure can improve the non-redirect downloads, but not the security you're concerning about.

Share this post


Link to post
Share on other sites
The download link requires the user to login before running the link, and also checks the order id, max download days, max download counts....etc, no matter by redirect or not. If your customer wants to share his account info and the file purchased, there is no way to stop him, but the download expiry and counts can help to limit the risk. It's the way osCommerce was developed, and I don't see any other 'easy' way to improve it.

The download link itself requires the user be logged in, etc, but the link that the user is redirected to is just a straight http URL to the symlinked deliverable. Something like http://store.com/pub/.kjhkjhkjhkjh/thefile.pdf. When I download a PDF or mp3 by clicking the download link, the URL it is redirected to is what (properly) is shown in my browser's address bar. Couldn't I just send that to anyone and they can get the file?

Download by redirect is a much safer way. It creates a random temporary subfolder and establishes a symlink via that subfolder. Users have no chance to find out where you store the download file exactly.

Here is the essence. The link with the random temporary subfolder is visible/obtainable and will work for anyone. How temporary is the subfolder? I don't see anywhere that it is destroyed. The user has no chance to know where on the filesystem the real assets are, but they can know a URL that will link directly to it (via a symlink).

To loop over a decent-sized buffer is only possible when you have the control of your server. It sure can improve the non-redirect downloads, but not the security you're concerning about.

I have control over the server so looping over a decent-sized buffer is possible. As far as I can see it is a definite improvement over the redirect way because there is never a URL that points to the deliverable. I don't yet understand how the random directory is temporary. Is it?

 

Thanks!

Share this post


Link to post
Share on other sites
The download link itself requires the user be logged in, etc, but the link that the user is redirected to is just a straight http URL to the symlinked deliverable. Something like http://store.com/pub/.kjhkjhkjhkjh/thefile.pdf. When I download a PDF or mp3 by clicking the download link, the URL it is redirected to is what (properly) is shown in my browser's address bar. Couldn't I just send that to anyone and they can get the file?
I don't know how you get that direct link to the file in the temporary folder. The download link shown to the customer is pointed to catalog/download.php?order=xxx&id=yyy..., and went clicking on the link, a popup window shown asking what to do with the file (open it or save it to HDD), no direct link shown to the customer. I tried with IE6/IE7/FF2 all the same. The download by redirect code is the stock feature, not modified by my work. It seems to me that your server setting is not working correctly with the header magic.

 

Here is the essence. The link with the random temporary subfolder is visible/obtainable and will work for anyone. How temporary is the subfolder? I don't see anywhere that it is destroyed. The user has no chance to know where on the filesystem the real assets are, but they can know a URL that will link directly to it (via a symlink).
The temporary folder is destroyed every time when the download by redirct is called. The code tep_unlink_temp_dir(DIR_FS_DOWNLOAD_PUBLIC); will remove temporary folders created previously.

Share this post


Link to post
Share on other sites

Sorry, I get your point now. When the download file type is something can be opened in Internet browsers, e.g. mp3, pdf, jpg...etc, the file will be opened and the link will be shown in the url line.

 

I need to dig into this and see what I can do.

Share this post


Link to post
Share on other sites
Sorry, I get your point now. When the download file type is something can be opened in Internet browsers, e.g. mp3, pdf, jpg...etc, the file will be opened and the link will be shown in the url line.

 

I need to dig into this and see what I can do.

 

I think just reading the file and looping with a buffer, even a small one, might do the trick. What was big a couple of years ago is small today. :) The stock code says read the whole file and send it, which definately could be a huge resource hog and is a bad idea. I am going to run some performance tests with different sized buffers and see what the results look like. (Probably won't be till Sunday or Monday). My files are pretty big, 20M or so, and this will be a good indication. The http server itself has to do this (read a buffer and loop) so I don't think adding php on top of it will be a big hit. It's something anyone can do, nothing special on the php side required. The code suggests it, I wonder why it wasn't implemented. I will report back.

Share this post


Link to post
Share on other sites
The temporary folder is destroyed every time when the download by redirct is called. The code tep_unlink_temp_dir(DIR_FS_DOWNLOAD_PUBLIC);

 

Sorry, I missed this part of your post. That answers my "temporary" question. So it seems the actual link sent by the redirect is valid until the next virtual sale is made, at which point the temp dir is cleaned up. I was confused about this. That could be worse, and is probably acceptable, but it's not great. I will proceed with my buffer tests to see how it comes out.

 

I realize these comments are not related to your mods specifically, they are on the stock code, but I thought this was as good a place as any to discuss, as I am using your mod (which I think is great) and clearly you have an interest in the way virtual sales are handled.

 

I like osC is great, can't wait to see the new OOP version, looking to make a nice contribution as some point.

Share this post


Link to post
Share on other sites

Download by redirect works fine if you packed your file as .zip or .rar, the 'save as' dialog always shows up and the actually link is not shown.

 

I have a buffered non-redirect download ready. Here is the code:

 

in catalog/download.php around line 123:

	readfile(DIR_FS_DOWNLOAD . $downloads['orders_products_filename']);

Change it to:

// BOF Super Download Shop v1.1 mod
set_time_limit(0); // Prevent the script from timing out for large files
readfile_chunked(DIR_FS_DOWNLOAD . $downloads['orders_products_filename']);
// EOF Super Download Shop v1.1 mod

 

And then add a new function in the same file at around line 92 or 93:

// Buffered readfile, for non-redirect downloads to handle a large file
// With this function, downloads will not be limited by the server resource.
// However, it still suffers from the maximum script execution time.
function readfile_chunked($filename)
{
 $chunksize = 1*(1024*1024); // how many bytes per chunk
 $buffer = '';
 // $handle = fopen($filename, 'rb');
 $handle = fopen($filename, 'rb');
 if ($handle === false) {
return false;
 }
 while (!feof($handle)) {
$buffer = fread($handle, $chunksize);
echo $buffer;
flush();
 }
 $status = fclose($handle);
 return $status;
}

I will include this in the next update.

Share this post


Link to post
Share on other sites
I will include this in the next update.

 

great! i consider i have vicariously made a contribution :)

Share this post


Link to post
Share on other sites
And then add a new function in the same file at around line 92 or 93:
// Buffered readfile, for non-redirect downloads to handle a large file....

 

Thanks for update code. but can you give (some hint code)what is the [i]top[/i] OR [i]bottom[/i] of the code. This is cause my download.php having some many code added last time.

 

Thank you in advance.

Share this post


Link to post
Share on other sites

I will clean up the code a bit and make some additional notes in the install instruction. The v1.1 update package will be out soon.

Share this post


Link to post
Share on other sites

excellent idea, thank you. been looking for something like it.

 

i tried to install but was stopped already when running the group_file_for_download.sql sql script via phpMyAdmin.

 

ALTER TABLE `products_attributes_download` ADD `products_attributes_filegroup_id` INT( 11 ) NULL AFTER `products_attributes_filename` ;

 

 

#1060 - Duplicate column name 'products_attributes_filegroup_id'

 

 

would be very grateful for any idea. thank you.

Share this post


Link to post
Share on other sites
i tried to install but was stopped already when running the group_file_for_download.sql sql script via phpMyAdmin.

 

ALTER TABLE `products_attributes_download` ADD `products_attributes_filegroup_id` INT( 11 ) NULL AFTER `products_attributes_filename` ;

#1060 - Duplicate column name 'products_attributes_filegroup_id'

You probably ran the script twice by accident. Please check your databse table products_attributes_download and see if products_attributes_filegroup_id is already there.

Share this post


Link to post
Share on other sites

hi alex

 

i just found out that the filenames in the products_attributes_download_groups_to_files only refer to products_attributes_download_groups_files.download_groups_file_id but not to the .download_group_id.

so this causes a problem for different descriptions with the same download_groups_file_id.

 

you would just have to add a field in the products_attributes_download_groups_to_files for the group...

 

maybe you could build that in your 1.1 release...

 

cu jason

Share this post


Link to post
Share on other sites
hi alex

 

i just found out that the filenames in the products_attributes_download_groups_to_files only refer to products_attributes_download_groups_files.download_groups_file_id but not to the .download_group_id.

so this causes a problem for different descriptions with the same download_groups_file_id.

 

you would just have to add a field in the products_attributes_download_groups_to_files for the group...

 

maybe you could build that in your 1.1 release...

 

cu jason

No. You can assign a file to many different groups, there for the products_attributes_download_groups_to_files doesn't refer to download_group_id.

 

File description goes with download_groups_file_id, you can't assign different descriptions to the same file, otherwise it won't work.

Share this post


Link to post
Share on other sites
File description goes with download_groups_file_id, you can't assign different descriptions to the same file, otherwise it won't work.

 

but thats what i want to do ^^

i´ve got some files that are used in different context so i need different desciptions for it.

i´ll try to change that for me. if not i´ll have to set hardlinks within my system or have the file multiple

 

anyhow we´ll call it a feature :)

 

cu jason

Share this post


Link to post
Share on other sites
Super Download Shop v1.1 update released.

 

Please report bugs/problems/issues in this support thread.

 

:thumbsup: Hi Alex. Great Contribution - superb!!

 

i have installed SDS 1.1. everthing ok... ;) untill testing stage. hehe... sorry to trouble you.. (newbie)

 

- I got no problem with single item download using SDS 1.1 & PayPal IPN. the download link (with nice button) appears right after the payment process completed.

 

- But when i try to download group file, after completed the payment process (Paypal IPN), theres no download link accept the filename (product name), link expires & download remaining info. >_<

 

- So i make another test, using 'check/money order'. after completed the process, i change the status from pending to 'download now available'. Walla! all the downloads under the group now available! :blink:

 

can u please help me out?

 

Thanks Alex.

Share this post


Link to post
Share on other sites
can u please help me out?

The osCommerce PayPal IPN module bypasses checkout_process.php, there for the modification needs to be manually coded into this payment module.

 

Below is the modification for osCommerce PayPal IPN module v2.2:

 

Find in catalog/includes/modules/payment/paypal_ipn.php line 249-257:

				if ((DOWNLOAD_ENABLED == 'true') && isset($attributes_values['products_attributes_filename']) && tep_not_null($attributes_values['products_attributes_filename'])) {
			  $sql_data_array = array('orders_id' => $insert_id,
									  'orders_products_id' => $order_products_id,
									  'orders_products_filename' => $attributes_values['products_attributes_filename'],
									  'download_maxdays' => $attributes_values['products_attributes_maxdays'],
									  'download_count' => $attributes_values['products_attributes_maxcount']);

			  tep_db_perform(TABLE_ORDERS_PRODUCTS_DOWNLOAD, $sql_data_array);
			}

Replace with:

				if ((DOWNLOAD_ENABLED == 'true') && isset($attributes_values['products_attributes_filename']) && tep_not_null($attributes_values['products_attributes_filename'])) {
// BOF Super Download Shop v1.0 mod
			  if (DOWNLOADS_CONTROLLER_FILEGROUP_STATUS != 'Yes' || !strstr($attributes_values['products_attributes_filename'], 'Group_Files-')) {
				$sql_data_array = array('orders_id' => $insert_id, 
										'orders_products_id' => $order_products_id, 
										'orders_products_filename' => $attributes_values['products_attributes_filename'], 
										'download_maxdays' => $attributes_values['products_attributes_maxdays'], 
										'download_count' => $attributes_values['products_attributes_maxcount']);
				tep_db_perform(TABLE_ORDERS_PRODUCTS_DOWNLOAD, $sql_data_array);
			  } else {
				$filegroup_array = explode('Group_Files-', $attributes_values['products_attributes_filename']);
				$filegroup_id = $filegroup_array[1];
				$groupfiles_query = tep_db_query("select download_group_filename
												  from " . TABLE_PRODUCTS_ATTRIBUTES_DOWNLOAD_GROUPS_FILES . "
												  where download_group_id = '" . (int)$filegroup_id . "'");
				while ($groupfile_array = tep_db_fetch_array($groupfiles_query)) {
				  $sql_data_array = array('orders_id' => $insert_id, 
										  'orders_products_id' => $order_products_id, 
										  'orders_products_filename' => $groupfile_array['download_group_filename'], 
										  'download_maxdays' => $attributes_values['products_attributes_maxdays'], 
										  'download_count' => $attributes_values['products_attributes_maxcount']);
				  tep_db_perform(TABLE_ORDERS_PRODUCTS_DOWNLOAD, $sql_data_array);
				}
			  }
// EOF Super Download Shop v1.0 mod
			}

 

 

Find in the same file line 169:

								  'date_purchased' => 'now()',

Add before:

								  'last_modified' => 'now()',

Share this post


Link to post
Share on other sites

Wow!... thanks Alex! Superb! :thumbsup: :thumbsup: :thumbsup:

Share this post


Link to post
Share on other sites

When I try to add a file in "Files In Group " is say "The file unzip doesn't exist.". But i did upload it to download/ catalog... please help..

 

Regards

Kenneth

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now