I have a website where users can login and are identified by sessions and $user[id]. They can upload files. Files are stores in htdocs/uploads. Every file data is stored in a table to have a link between filename, location and user_id. On some places on my website i give the possibility to download the file by: <a href="' . $row['path'] . '" target="_blank" download>Download file</a>.
Behind $row['path'] a URL like domain.com/uploads/filename.jpg is given. If the user know this URL path he can download the file also without login or identification by entering the URL into a browser. I want to avoid this. How can i ensure, that only files can be downloaded from htdocs/uploads by click on such a download link on my website.
=> I am not able to create a folder outside htdocs
=> I have tried to change the folder permissions but w/o success
=> My website is basically made in PHP, a solution in PHP is prefered.
Any idea/help available? Thank you!
You will need to go down the route of making PHP serve the file for you. This will ensure that you can validate user credentials before serving the file.
See examples on php.net here. This will explain how to serve files from PHP using header(). This answer also outlines some of the key concepts.
Once you've done this, you can deny direct access to these files using htaccess rules. This will ensure users can only access the files via the php endpoints, and those endpoints can perform validation of the user's credentials.
I have solved it by doing following:
Added a .htaccess file in my folder htdocs/uploads with following content:
<FilesMatch ".*">
Order Allow,Deny
Deny from All
</FilesMatch>
Created a file: file_download.php with following content:
// Doing here some user verification based on the session and user_id
if($user['id'] != 'something i want to be') {
die('Not allowed to download this file');
} else {
// Verify the download as requested
// Basic file name
$file = basename($_GET['file']);
// Path where the file should be stored
$file = 'uploads/'.$file;
if(!file_exists($file)){ // file does not exist
die(''.$file.' file not found');
} else {
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Disposition: attachment; filename=$file");
header("Content-Type: application/zip");
header("Content-Transfer-Encoding: binary");
// read the file from disk
readfile($file);
}
}
Changed the download link from <a href="' . $row['path'] . '" target="_blank" download>Download file</a> to <a href="file_download.php?file=<?= $row['path'] ?>Download</a>
This way is blocking any try to download a file by using clear URL in the browser. the file can only be downloaded by having a user identification and the provided link from my website. If someone does not need the user verification, just delete the first if/else in the file_download.php.
Related
On a godaddy hosted website using CPanel, I have a small PHP script that shows each line in a text file that's on the server. Each line contains a private href link to a PDF that only the logged-in user can see. The links points to various PDFs in the same folder on the server. The code works fine and I can click on the link and see each PDF.
The problem is that each PDF can also be seen by using a direct URL query (i.e. website/folder/pdfname.pdf). As these are private PDFs, I don't want them public. I've tried changing CPanel permissions on the folder to "owner" - but that seems to prevent the PHP script from opening the PDFs also.
Is there a way to allow a PHP script access to PDFs in a folder - but prevent direct URL references?
NOTE: I'm not particularly adept at PHP or CPanel - sorry.
Code...
$fname = "PDF-" . $user_name.".txt";
$fnum = fopen($fname,"r");
echo "<tr>";
While (($str = fgets($fnum)) !== false) {
$arr = explode("|",$str);
for ($x = 0 ; $x < count($arr); $x++) {
echo "<td>$arr[$x]</td>";
}
echo "</tr>";
}
echo "</tr>";
fclose($fnum);
File contents...
Xyz Company|21 Jan 2018| website link
Xyz Company|21 Jan 2018| website link
Xyz Company|21 Jan 2018| website link
Xyz Company|21 Jan 2018| website link*
Asside from removing the files from the root, if you are running apache, you can change your .htaccess (I'm sure windows-based system have a web.config equivalent) to forbid access to certain files directly. If you add this snippet to that file, it will deny files with .pdf extension:
<FilesMatch "\.(pdf)$">
Order Allow,Deny
Deny from all
</FilesMatch>
From there, inside your app, you can create some sort of system for curating your PDF links, so if you store the real path in a database and use the id as the link similar to:
http://www.example.com/?file=1
or if you just do a simple scan:
<?php
# The folder that the PDFs are in
$dir = __DIR__.'/website/folder/';
# Loop over a scan of the directory (you can also use glob() here)
foreach(scandir($dir) as $file):
# If file, create a link
if(is_file($dir.$file)): ?>
<?php echo $file ?>
<?php
endif;
endforeach;
Then, if the user tries to download using the link, you check they are first logged in and if they are, download the file by doing a script like so BEFORE you output anything else to the browser (including spaces):
<?php
session_start();
# First check that the user is logged in
if(empty($_SESSION['username']))
die('You must be logged in to download this document.');
# Not sure which directory you are currently in, so I will assume root
# I would do basename() here incase the user tries to add in something like:
# ../index.php and tries to download files they are not supposed to
$file = __DIR__.'/website/folder/'.basename($_GET['file']);
if(!is_file($file))
die('File does not exist.');
# Double check that the file is a pdf
elseif(strtolower(pathinfo($file, PATHINFO_EXTENSION)) != 'pdf')
die('File appears to be invalid.');
# Start download headers
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;
One simpler and basic example (and derivative of previous answer) is to use two separate PHP files, where one is evaluating a set cookie (set to expire soon) in the browser upon link click (set via JS or PHP or other). If the cookie was read correctly, the first PHP page imports a second page that utilizes the PHP header() redirect containing your original file name forcibly downloaded with another name. Using the Content Disposition header field.
In action this works like this
1: Original page with download links - we set the cookie to work for 2 minutes
<a onclick="setCookie(1, 1, 2, 60)" href="php-secure-files-delivery-page.php">Download My Final PDF name.pdf</a>
<script type="text/javascript">
// set a cookie with your own time limits.
function setCookie(days, hours, minutes, seconds) { // Create cookie
var expires;
var date = new Date();
date.setTime(date.getTime()+(days*hours*minutes*seconds*1000));
expires = "; expires="+date.toGMTString();
document.cookie = "my_cookie_name"+"="+"my_cookie_value"+expires+"; path=/";
}
</script>
On the link page we include a hyperlink with the evaluating PHP page. Here we use JavaScript to set a cookie using the custom function setCookie(days, hours, minutes, seconds), that will receive your wishes for expiry. Just note that 1 is the minimum number. Not 0.
2: Download page - evaluating cookie and presenting texts, or simply downloading the file
(php-secure-files-delivery-page.php)
<?php
// if the cookie is set correctly, load the file downloader page.
if (isset($_COOKIE['my_cookie_name'] && $_COOKIE['my_cookie_name'] === 'my_cookie_value')) {
require_once 'file-downloader.php'; // the file will force the download upon import.
} else {
die('The link expired, go to your downloads section and click on the link again.');
}
?>
Here we evaluate the cookie, present either the correct info or die(). Using require_once we get the PHP page into the current one.
3: Imported file includer PHP page
(file-downloader.php)
<?php
// We'll be outputting a PDF
header('Content-Type: application/pdf');
// It will be downloaded as your-downloaded.pdf
header('Content-Disposition: attachment; filename="your-downloaded.pdf"');
// The PDF source is in your own specified long name
readfile('original-with-really-weird-original-name.pdf');
?>
Results
User always go to the same page, being presented with the appropriate information.
You can name your original files on your server anything you want, like "my_really_difficult_and_long_file_name.pdf", while the user sees only the nice pretty file name when the file is downloaded.
for more files, use an extra input in the cookie function to take the file name too, and some if statements in the php downloader page, that looks for separate end PHP pages to require_once.
If you go to the browsers "Downloads" section to try to get the url of the downloaded file, you see the initiating PHP page, the second page, that leaves you empty with a die() if no correct cookie was set. That cookie is only set when you want it to. On your pages. You can of course do this in JavaScript too, but that will expose the cookie, still, for most unauthorized sharing, that takes care of it.
Lastly, easy security for your folder (without Apache/Nginx/.htaccess stuff)
Using .htaccess files on local folders or directives on your server is the best and most secure way. But that´s not transferable to your other applications on other systems. Instead use a index.php and a default.php page on your PDF file´s parent folder, where they are located, including this header redirect to wear off unwanted visits:
<?php
header("Location: http://yoursite.com/some-other-page/"); /* Redirect browser here */
?>
I'm working on file storage and my design is to display data from my database about the file along with a button fitted with an a href tag to download my file. I successfully do all of this when I keep my storage in my website root - but upon suggestions, i've made changes.
I now have my project root in my C:/ drive but my storage I want outside of the root but I keep my storage in my d:/ drive, per suggestions due to security - along with the fact my d:/ drive is my cloud storage anyway. From what I see online, that means I can't use <a href="d:/storage/Username/file download> anymore to download my file!
If that is true, how do you download from outside your website root?
And if not, how do I get past the security restrictions on downloading outside the root using my href method?
Thanks!
you can use readfile()
either link to downloader.php?f=somefile.jpg
of use rewriterules.
in downloader.php do something like
<?php
$path = 'D:/map/';
if( login_check($user) && is_file($path . $_GET['f']) ) {
header('Content-Type: image/jpeg');
readfile($path . $_GET['f']);
}
?>
I added the login_check() because you mentioned something about security.
Further it could be advisable to check the parameter for illegal characters (especially slashes)
And the content type may vary with chosen file
Got it to work, thanks for the start from Ivo P.
I started by sending to download.php my file name, file extension, and file path all separated by * (The * is not an allowed file name). An example is:
download.php?f=myTextFile*txt*d:/storage/test/myTextFile.txt
Then, I explode $_GET['f'] by *, make sure the array is size 3, then set content headers:
$file_info = explode("*", $_GET['f'], 3);
if(is_file($file_info[2]) && count($file_info) == 3) {
header('Content-Description: File Transfer');
header("Content-Type: " . mime_content_type($file_info[2]));
header('Content-Disposition: attachment; filename="'.$file_info[0] . '.' .$file_info[1].'"');
header('Expires: 0');
header('Pragma: public');
readfile($file_info[2]);
}
And that was the working solution for me! Tested on txt, jpg, and exe - works perfectly. I have other personalized for my project tests to make sure that 'f' is valid (so users can't screw it up by going to address bar and making a mess of things, see real_escape_string) but that's the gist of it!
Edit thanks to Bjorn: Keep in mind this allows full access of server, make sure you personalize your own download.php to accept inputs following your own format (otherwise anyone could steal your php files, js files, ect!)
When user want to download file from my web site, user have to click link like below
https://www.example.com/download.php?aaa=111&bbb=222
download.php
<?PHP
session_start();
include("connect.php");
$aaa = mysql_real_escape_string($_GET[aaa]);
$bbb = mysql_real_escape_string($_GET[bbb]);
if(($aaa = '111')&($bbb = '222')) // this line is example for ask stackoverflow //
{
$filePath_try_to_download = 'attachments_files/test.pdf';
if(file_exists($filePath_try_to_download))
{
$fileSize = filesize($filePath_try_to_download);
$fileName = "test.pdf";
header("Cache-Control: private");
header("Content-Type: application/stream");
header("Content-Length: ".$fileSize);
header("Content-Disposition: attachment; filename=".$fileName);
// Output file.
readfile ($filePath_try_to_download);
exit();
}
}
?>
I want to know when user download file from this link https://www.example.com/download.php?aaa=111&bbb=222 user can get my file path on server or not (attachments_files/test.pdf). If user can get my file path, how can i hide it's ? (file in this dir is very importance)
Since I was posting comments from my Phone, they couldn't really explain much, so here goes your answer.
I want to know when user download file from this link https://www.example.com/download.php?aaa=111&bbb=222 user can get my file path on server or not (attachments_files/test.pdf).
No, Users can not see that file path which you are reading via readfile(). They will not be able to find out that file's location at all.
And if you want to eliminate any chances of people guessing the file path simply put those files outside of your web root folder and then readfile() them from there.
$filePath_try_to_download = 'attachments_files/test.pdf';
That path is only known to your PHP code, which is not visible to users hence they have no idea from where did you read the file they are downloading, just eliminate the guesswork chances though :)
And Obviously you have to secure access to this url https://www.example.com/download.php?aaa=111&bbb=222 otherwise what's the point!
No. The user cannot get the file path. He only get the content outputed by PHP script.
Your can do this and the user only get the "Hello" string. So it's your PHP script's role determining which contents the user can get.
<?php
echo "Hello";
?>
I have zip files in my website and I made a log in system so only users with valid passwords can download the zip files ONCE.
But there is always a possibility that they can download the zip files directly by entering the file path in the browser address bar.
You can get the link of the zip file by viewing the source code.
How can I deny people from downloading zip files by simply posting the file link in the browser address bar? is possible?
Instead of placing the file in a web accessible folder (/var/www/ for example), place it above it so users can't browse to it (like /var/files). Then to serve it to your users, after they type the password, with a php script, have the script set the headers as they would if it were a file, and use readfile to output the contents of the file to the user.
Firstly, create a folder in your root (~/) called secure_zip or something. This should sit alongside your public_html folder (meaning they cannot be accessed by typing in a URL).
Next, create a new php script, called file.php or something:-
<?php
public function sendFile() {
$filename = "sample.zip";
$attachment_location = $_SERVER["DOCUMENT_ROOT"]
. "../secure_zip/" . $filename;
if (file_exists($attachment_location)) {
header('Cache-Control: public'); // needed for i.e.
header('Content-Type: application/pdf');
header('Content-Disposition: attachment; filename="' . $filename . '"');
readfile($attachment_location);
die();
} else {
die('Error: File not found.');
}
}
And call sendFile() if you authenticate the user using whatever logic you like, eg:
if (true) { sendFile(); }
I am trying to provide .pdf and .doc files to authorized users on a website. The user can only see the file selection page when logged in but this doesn't prevent an unauthorized user from viewing the documents if they have knowledge of the full URL.
How can I prevent unauthorized users from accessing these files?
the answer is quite simple,
#Jonnix has posted this as I was typing but I will explain a little more for you
one put your files outside of your public HTML directory if your unable to do this look at #Andri answer for an alternative
E.G cpanel setup
user/public_html
/public_html/download.php
user/documents/
/documents/file.doc
/documents/file.pdf
#dhh has posted a basic download.php php file however as your wanting to force download their things you can do like finding and supplying the correct mime type here is an extension on to his code as to the best way to 1 force download of a file, and 2 allow different file types
download.php
//check users is loged in and valid for download if not redirect them out
// YOU NEED TO ADD CODE HERE FOR THAT CHECK
// array of support file types for download script and there mimetype
$mimeTypes = array(
'doc' => 'application/msword',
'pdf' => 'application/pdf',
);
// set the file here (best of using a $_GET[])
$file = "../documents/file.doc";
// gets the extension of the file to be loaded for searching array above
$ext = explode('.', $file);
$ext = end($ext);
// gets the file name to send to the browser to force download of file
$fileName = explode("/", $file);
$fileName = end($fileName);
// opens the file for reading and sends headers to browser
$fp = fopen($file,"r") ;
header("Content-Type: ".$mimeTypes[$ext]);
// this header tells the browser this is a download and not to try and render if it is able to E.G images
header('Content-Disposition: attachment; filename="'.$fileName.'"');
// reads file and send the raw code to browser
while (! feof($fp)) {
$buff = fread($fp,4096);
echo $buff;
}
// closes file after whe have finished reading it
fclose($fp);
P.S here is a big list of mime types if you want to add support for other files
https://www.freeformatter.com/mime-types-list.html
What you can do, is provide the equivalent of a PHP proxy for the files.
Put the files outside of the webroot, then write a script that checks the user is allowed access. If not, redirect them, if they do, set the appropriate headers and output the file data.
You should store all downloads outside your public / user-accessable doc root (but inside your basedir, of course) and add a download script for sending the download if the user is authorized.
Here's some example of how to "send" a file for downloading it.
$file = "ireland.jpg";
$fp = fopen($file,"r") ;
header("Content-Type: image/jpeg");
while (! feof($fp)) {
$buff = fread($fp,4096);
print $buff;
}
This did the job for me: I placed a .pdf and a .htaccess file with the following code in it in a normal folder (i named it "docs") on my apache webserver.
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
Then i took the code from Martin Barkers answer above, changed the filepath to "docs/sample.pdf", and pasted it into a .php file in my root directory. That's it. You can't access the file per url now, but you can download it if you run test.php.