One way to do this would be to set a session variable in script.php and check for it when script.php?view=10 and script.php?download=10 are viewed. If the variable isn't there, load the view page, if it is there it would mean that the viewer has come from script.php and is allowed to view/download the content.

Could I look at the referer or something?

Like, if the referer wasn't my script, then don't redirect to the file location?

Referer checking is spotty at best. Some browsers, security programs and proxy servers won't send the referer along with the request. This means you may block someone who's legitimately trying to download the file.

If this was my project, I wouldn't redirect with a header. Instead, I'd use the readfile [php.net] function. You pass readfile a file path, and it will print the contents to the output buffer. If you set the correct header (see comments in above link) then "print the contents to the output buffer" means "downloads the file" or "display in browser"

This way, you can keep the real location of the maps a secret, or even store them outside a web accessible directory.

It looks like this comes up a lot on Webmaster World, so you should have plenty of reading [google.com] to help you out if you decide to take this approach.

With this approach, won't it download it anway if they link to

script.php?download=10

Cuz then the script will process, use readfile, and send the file just like it would with header?

If you have a mysql database, you can insert a row with IP and time() when someone enters the download page.

When they click on the download check again and only allow downloads if the IP have been inserted in the database within the last 10 minutes, or whatever you like.

Also write on the download page, that download session expires within xx minutes.

Yamaha_R1, that's correct. I'm afraid I misunderstood your initial question. I thought your concern was people skipping the code that incremented the download counter.

The short answer is you can't stop people from linking directly your images. That's just How The Web Works.

You could add a referer check vs. "from my page", but keep in mind that means some people are going to get to your map page and *not* be able to see images.

You could also monitor the site, and keep a list of URLs that link your images, then do a referer check against this list before serving the images. That's a lot more work.

You could also create a sign-in system, where people had to register for an account to view the images, and then add a "is logged in" check before serving the images. That's a lot more work, and will make your site less popular.

Well not so much the images as the MAP files. They are large, and I wanted people to visit US to get them.

But yes, same exact theory; you understand.

Memebers? The way it works, is we have a VBulliten forum. To submit and edit a map, it * does * open the VB mysql database and verify who you are.

But I wanted anyone to come download the maps, so long as they visit the page.

So I guess I bite the bullet and check the referrer, although yes, some security progs and some users turn that off.