Managing File Downloads

My friends’ band Surrender is heading off on a European tour. (Yes, I’m jealous.) In addition to their other merchandise, they wanted to be able to include MP3 downloads with their vinyl records, or even just sell the downloads directly. This is a service United Record Pressing offers but it’s a little, ah, invasive, and not available a la carte, as it were, if they don’t also press your record.

My band played a show with The Measure [SA] this year, and their record came with a download option as well, and it’s pretty DIY. But Surrender wanted something DIYer, with more control over things. I had been intrigued by the style, and figured it wouldn’t be too hard to build something similar, at least for one band. So I tried.

First is the db: one table with a list of unique download keys and how many times each was used:

| Field    | Type        | Null | Key | Default           |
| id       | int(11)     | NO   | PRI | NULL              |
| key      | varchar(16) | NO   |     | 0                 |
| used     | tinyint(1)  | NO   |     | 0                 |
| mod_date | timestamp   | NO   |     | CURRENT_TIMESTAMP |

I generated the keys–16 alphanumerics–and the MySQL commands for inserting each one into the table in a PHP script. Here are the lines of interest:

$key = substr(md5(rand()),0,16);
$query = "INSERT INTO file_keys (`key`,`used`,`add_date`) VALUES('$key','0',NOW());";

I didn’t explicitly check for uniqueness of the key values. What can I say? I have faith in MD5, even if collisions have been found.

The last part is getting the file to download without actually providing direct access to it. PHP makes this pretty easy, although there are some gotchas related to IE and Safari:

// Stuff only IE seems to need
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); 

// We'll be outputting a ZIP
header("Content-type: application/zip");
// It will be called
// (double-quote file name in header or Safari will be sad)
header('Content-Disposition: attachment; filename=""');

header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($DL_FILE_PATH) ); 

// The ZIP source is in $DL_FILE_PATH
The problem is the step between checking the DB and allowing/disallowing the download. How do you authorize the download page conditionally, without passing along information easily intercepted by nefarious types? A session variable seemed reasonable–theoretically hackable, but kudos to anyone who does it.

So after checking for whether the download key can be used–each one can be used up to three times–a session variable is set:

$_SESSION['downloadfile'] = 'secret';

Another issue is how to message the user about what’s happening. If a code is valid, we redirect to the “downloading now” page, or else the user sees the “sorry” page. To actuate the download, I went back to some 20th century web technology: a META tag to “refresh” the page to the page that does the download:

<meta http-equiv="refresh" content="2;url=getfile.php">

This sends the user to getfile.php, which doesn’t actually display in the browser but just starts a file download (solving the problem of triggering both the download and a message to the user to let him know what’s going on). The download happens and everybody’s happy.

The last step is to unset the session variable:

$_SESSION['downloadfile'] = '';

I’m working on more generic code to share, or maybe this would be a good SourceForge project?

Cats: experiment

iPhone Post

I guess you really can post to a blog from an iPhone. I’m not sure how valuable this is, though. Yet?

Cats: experiment

Not Spam

My friend is embarking on a tour to promote his new book. He’ll be on the road so email is going to be the best way to announce what’s going on to interested parties. However, sending email from his Yahoo! account to multiple recipients proved problematic: emails addressed To: a complete list of recipients raised some ire from people not wanting their emails revealed to other recipients.

The next attempt went a little better: he addressed it to himself and BCC’ed actual recipients. But so do spammers, and a lot of people never even saw this one. The alternative is to send the email over and over to each individual, which is even more work than the tedium of adding all email addresses to a BCC field with Yahoo!’s address book.

Obviously, this is something where a computer should be doing the heavy lifting, but the options out there are either not free, or contain intrusive ads. (Which, come to think of it, Yahoo! Mail also does.) Given the nature of the book, this is undesirable.

I wanted to help, so I threw together a little three-page web app to store email addresses and names, and loop over each item to send an individual email to every person. We also want to do the right thing by sending a MIME multi-part style email, so email clients do the right thing based on each user’s preferences. PHP’s mail() function, with some custom headers, to the rescue.

These lines set up the headers:

$to = "\"$rname\" <$remail>"; # recipient
$from = "\"$sname\" <$semail>"; # sender
$headers = 'From: ' . $from . "\n";
$headers .= 'To: ' . $to . "\n";
$headers .= 'Return-Path: ' . $from . "\n";
$headers .= 'MIME-Version: 1.0' ."\n";
$headers .= 'Content-Type: multipart/alternative; boundary="'
. $boundary . '"' . "\n\n";
$headers .= $body_simple . "\n";
$headers .= '--' . $boundary . "\n";
$headers .= 'Content-Type: text/plain; charset=ISO-8859-1' ."\n";
$headers .= 'Content-Transfer-Encoding: 8bit'. "\n\n";
$headers .= $body_plain . "\n";
$headers .= '--' . $boundary . "\n";
$headers .= 'Content-Type: text/HTML; charset=ISO-8859-1' ."\n";
$headers .= 'Content-Transfer-Encoding: 8bit'. "\n\n";
$headers .= $body_html . "\n";
$headers .= '--' . $boundary . "--\n";

Each section of a multi-part email is set off by a unique boundary string, defined in this case as follows:

$boundary = md5(uniqid(time()));


Now “abuse” mail() as follows:

mail('', $subject,'', $headers);
Even though ‘to’ and ‘content’ params are empty, the headers contain everything needed to properly deliver each message. So far, it works.
Lots of the code above is based on some sample code from
Cats: experiment
Tags: , , ,

Wikipedia + iPhone

Does anyone NOT want to write a toy iPhone web application? It was pretty much the first thing I wanted to do with my new phone. I messed around with some cool JavaScript gizmos, played with the resize-on-rotate thing, and…time passed.

Today I was looking at Wikipedia and came across some information on alternate ways of getting information from their database (q.v.). In particular, I was intrigued by the feature whereby you can get a list of a given Wikipedia page’s outbound links. A couple of hours later, I’ve got a crude little demo that lists a topic’s related links in pairs: the first links to a similar page with a list of links for that¬†topic; the second links to the actual Wikipedia page. If you have an iPhone, try it out!

Cats: experiment
Tags: ,