Here is a simple way to control who downloads your files...

You will have to set: $filename, $downloaddir, $safedir and $downloadURL.

Basically $filename is the name of a file, $downloaddir is any dir on your server, $safedir is a dir that is not accessible by a browser that contains a file named $filename and $downloadURL is the URL equivalent of your $downloaddir.

The way this works is when a user wants to download a file, a randomly named dir is created in the $downloaddir, and a symbolic link is created to the file being requested.  The browser is then redirected to the new link and the download begins.

The code also deletes any past symbolic links created by any past users before creating one for itself.  This in effect leaves only one symbolic link at a time and prevents past users from downloading the file again without going through this script.  There appears to be no problem if a symbolic link is deleted while another person is downloading from that link.

This is not too great if not many people download the file since the symbolic link will not be deleted until another person downloads the same file. 

Anyway enjoy:

srand((double) microtime() * 1000000);
$string '';
for (
$i 1$i <= rand(4,12); $i++) {
$q rand(1,24);
$string $string $letters[$q];
$handle opendir($downloaddir);
while (
$dir readdir($handle)) {
   if (
is_dir($downloaddir $dir)){
      if (
$dir != "." && $dir != ".."){
unlink($downloaddir $dir "/" $filename);
rmdir($downloaddir $dir);
mkdir($downloaddir $string0777);
symlink($safedir $filename$downloaddir $string "/" $filename);
Header("Location: " $downloadURL $string "/" $filename);
2000-12-04 10:54:16
Olszewski's method of creating downloadable links on the fly is pretty good.

I use a different technique under Apache where if you want a file, you might use a url like:

But in fact Apache redirects this to a script with a url like:

(The browser address bar will still show the first url).

The script downloadfile.php can then handle all the mucky stuff like checking session variables to see if someone is logged on, whether they have access to mysecretfile.doc, and if you want to encrypt before download.

An advantage of this is that the php code to achieve the equivalent of Olszewski's is shorter, so might execute faster. But more importantly, a casual hacker might think all he has to do is find myverysecurefile.doc under the /home/user/public_html/files/mysecretfile.doc, or copy the url - but there's nothing there! He won't find it or get an Apache error page.
2005-03-15 10:49:06
To make your code portable on unix AND win32, do the following
1. Download
2. Unzip, put linkd.exe in C:\Windows\System32 or C:\WINNT\System32
3. Include in your code the following
function _syslink($t /*target*/ ,$l /*link*/ ) {
 if (
exec("linkd ".$p.$t." ".$p.$l);
 } else 
_unlink($l /*link*/ ) {
 if (
exec("linkd ".$p.$l." /D");
 } else 
4. Enjoy
_symlink(TARGET,LINK) works like symlink() on *nix
_unlink(LINK) to delete properly the link created
2005-09-11 11:04:51
Olszewski seems pretty good, but just to boost the security a bit, the fifth line of his script should read
$q rand(1,26); 

instead of rand(1,24).
2005-12-29 09:21:14
Olszewski_marek makes a good suggestion, but the readfile() function can also be used to obscure file downloads from end users.

/* Setup the file that will be sent */
$downloadDir = "some/secret/directory/";
$file = "theFileName.dat";

/* Required for IE, otherwise Content-disposition is ignored */
if(ini_get('zlib.output_compression')) ini_set('zlib.output_compression', 'Off');

/* Output HTTP headers that force "Save As" dialog */
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\\"$file\\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".@filesize($downloadDir.$file));

/* Prevent the script from timing out for large files */

/* Send the entire file using @ to ignore all errors */

/* Exit immediately so no garbage follows the file contents */
2006-02-14 19:15:36

 * A function to emulate symbolic links on Windows.
 * Uses the junction utility available at:
 * Note that this will only work on NTFS volumes.
 * The syntax of the junction utility is:
 * junction <junction directory> <junction target>
 * Note that the parameter order of the Junction command
 * is the reverse of the symlink function!
 * @param string $target
 * @param string $link
function _symlink$target$link ) {
  if (
$_SERVER['WINDIR'] || $_SERVER['windir']) {
exec('junction "' $link '" "' $target '"');
  } else {

_unlink($link ) {
  if (
$_SERVER['WINDIR'] || $_SERVER['windir']) {
exec('junction -d "' $link '"');
  } else {
2006-11-04 06:33:10
The one difference to using symlinks for controlled file access vs. readfile() is that the HTTP server will handle content-type of the symlink automatically.

If you always want it to be downloaded, this can be a negative point. However, if you want a file of non-predefined type to be viewable in the browser, this can be a real asset.

Of course, you can use fileinfo/mime-magic to do that, but those require a module which isn't always available on shared hosting.
2007-03-23 16:51:33
Um, duh... that's all I gotta say about by previous note. Please delete it. :)

Windows Vista has its own symlink program now (mklink). Hopefully future versions of PHP for Windows will have this function put it?

Anyway, this will work on Vista (assuming your PHP user has the proper permissions):
symlink ($target$link$flag SYMLINK_FILE) {
    switch (
$flag) {
SYMLINK_DIR$pswitch '/d'; break;
SYMLINK_JUNCTION$pswitch '/j'; break;
$pswitch ''; break;
// Change / to \ because it will break otherwise.
$target str_replace('/''\\'$target);
$link str_replace('/''\\'$link);
exec('mklink ' $pswitch ' "' $link '" "' $target '"');
2007-04-12 09:44:45
This function sometimes just fails to work for no appearent reason, returning FALSE and not creating a symlink. Doing the same with exec('ln -s source dest') works perfectly. I recommend using the latter.
2007-11-14 15:01:47
Keep in mind when using a shared filesystem such as NFS, that you probably don't want to create a symbolic link with absolute paths e.g.

On Server1 you are running a PHP script that needs to create a symbolic link called widget2 which links to widget1 inside an NFS share mounted on your localhost at /mnt/nfs/widgets

On Server2 this same NFS share is mounted under /usr/local/widgets

If you used absolute paths on Server1, then Server2 would try to reference /mnt/nfs/widgets/widget1 which it won't be able to find...

You need to cd into the directory first, then create the link - that way the link will be relative. Unless you run the PHP script from the same directory where you'll be creating the symbolic links, then you can't use symlink(). Use exec() instead as follows:


("cd <nfs mount path>; ln -s <target> <link_name>"); 

2009-11-11 21:36:19
Symlinks on windows  are created by Symlink() which accept only absolute paths  but not relative paths .relative paths on windows are not supported for symlinks
2010-04-27 19:33:24
On IIS (Internet Information Services), you need to set permissions to allow the creation of symbolic links.

Go to Local Security Policy -> Local Policies -> User Rights Assignment and right click on Create symbolic links -> Properties -> Add User or Group and add the "IUSR" user, which should be the user associated with IIS.
A restart may be required.

If this doesn't work, go to IIS Manager -> Authentication -> select Anonymous Authentication -> Edit and enter your current logged in user, which should be an administrator.
Hit OK and now the symlink() function in php should work fine.
2012-08-01 21:06:32
Context:  php cli on windows OS.

Do not forget to start the console with "Run as Administrator" else symlink will return 'false' and raise the following error :
Warning: symlink(): Cannot create symlink, error code(1314)
2014-06-04 16:21:16
If symlink seems not to work correctly, try to define the target argument as an absolute path.
Coding on MacOsX PHP5.5, I noticed that in some cases using an absolute path on the target argument was the only way I could have a proper symlink created.
2014-08-28 00:09:11
sym/hard linking i love to do it relative a lot but not that trivial when thinking wrong :-)
manpage says: the target is the _linkname_ and from that point to create relative links successful is to start from the directory where the link should be created e.g.: 

chdir( realpath(dirname($target))); 
You need to create/find out the relativ path to the source, otherwise the absolut path will be used in a link.

if you start to create the target path from the source eg: 
"/myfiles/now/here/../../later/" and links should go to /myfiles/later/ you need to use realpath( dirname() ) set the new location using chdir() and start from here to link to the source which is ../now/here/
This you can find out e.g.: when having the absolut path of source and target:
$dirTo = realpath(dirname($to));
$linkName = basename($to);
$target = $dirTo . DIRECTORY_SEPARATOR . $linkName;
$srcFile = getRelativeDirectory($from, $to); //basicly a function which will find the from -> to, but in this case the from ist the target where you need to start. 
below you can find some examples how to split the path in chunks to find a relativ path
2015-03-26 17:55:32
Be warned that at least with php 5.3 on windows 2008 R2 the symlink function is effected by the statcache. 

I got error 183 indicating the link existed. While the symlink was actually moved to a different location by  another process and would certainly not exist anymore.
Calling clearstatcache with a filename does not work. Most probably as the filename is converted to a device path (e.g. "\Device\HarddiskVolume1\D-Drive\www\pp\#static\index.html") which is a requirement for the windows call.

easiest is to just call clearstatcache without a filename to resolve the issue.

if you really want to call clearstatcache with a filename you could use readlink on the already deleted symlink (that still lives in the statcache) to get the filename. 
For example something like this:
//link failed, perhaps a statcache issue? We try to get the target, if it is a statcache issue this should work just fine

if(($rl = @readlink($target))===false) return false//not a cache issue as stat on a non-existing file failed, something else must be wrong...

//clear the stat cache for the actual target, strangely enough this works even-though this is the target and not the symlink to be created (*)

symlink($source,$target) ===false) return false//can't create the symlink

*It looks for PHP on windows like the statcache is maintained on the target instead of the actual symlink (this would ease in getting the file properties and limit the size of the statcache)
2015-08-11 15:20:00
If you use the suhosin extension, you must allow symlink with :
> suhosin.executor.allow_symlink = On

Check your /var/log/syslog file for more information :
> suhosin: ALERT - symlink called during open_basedir
2017-12-08 18:20:31
To remove symlinks you need to use:

- rmdir() on Windows
- unlink() elsewhere

function removeSymlink($path) {
    if (
2018-04-02 14:37:55

    Поддержать сайт на родительском проекте КГБ