A script on my website uploads images to mysite.com/uploads and generates a path to the image uploaded like mysite.com/uploads/123456789.jpg.
The image should only to visible to users with a path to the file. The folder shouldn't list out its contents.
The script is built using PHP and runs on a Linux system (CentOS) managed by cPanel. I am new to Linux and I don't understand how this can be done and I need your help with it.
I beleive that's not PHP issue. If you using Apache webserver you need a .htaccess file in that folder with the following content:
Options -Indexes
And also you can try simply add empty file index.html in each directory you'd like to hide.
Related
I have a server that contains a simple php file for downloading images and a folder containing those images.
<?php
$filepath = "myFiles/" . $_POST["file"];
if (file_exists($filepath)) {
$file = fopen($filepath,"r") or die();
echo fread($file,filesize($filepath));
fclose($file);
}
?>
This download.php file as well as the myFiles folder are both located in the www/html/ folder.
I am trying to figure out a way to make it so that my PHP script can access my image files, while keeping the files locked away from regular visitors. My problem is that if I set permissions that the files can't be viewed through the browser, then the PHP script can't access them either. So either both have access or neither does.
Am I on the correct track? How could I make it so that I can download my images using a PHP script while keeping the images otherwise inaccessible?
That won't be something you can handle using the linux file system permissions. You can put back the linux permissions to what they were initially for the files.
Instead, if you have a /home folder, I would recommend putting the original files to hide there. Check with your webhost if you have one.
Otherwise, if you have to put everything in www absolutely, then put the files to hide in a new subfolder, e.g. "hidden-files", and in that folder put a .htaccess file inside to block direct browser access to the files. The .htaccess file can be a one-line file with Deny From All command inside.
This way your files will only be able to be proxied through download.php.
I'm using the code in Tom's response here. However I have a script that automatically generates .html files into my public_html folder. These files are then loaded by my .php file, which looks something like this:
<?php
require('./access.php');
include('./secret_information.html');
?>
However the "secret_information.html" file is viewable by anyone without the password. I am running an Apache web server. As I understand, all html code / images to be used on a website need to be in the public_html folder. So how can I hide this information? Do I need to setup my automated scripts to generate .php files rather than .html or is there another solution?
include can access any file, as long as it is accessible by the web server.
So you can put secret_information.html anywhere in the file system, preferably outside of the document root or public_html.
If you must keep the file inside your publicly accessible web for some reason, you may use Apache's Authentication and Authorization facility.
I have a 2.5GB file that I want to allow users to download after they buy it. I originally planned on hiding the file and then just using readfile to dump the file's contents with .zip headers but my GoDaddy server apparently won't allow me to use readfile on such a large file, so I'm stuck with changing the name of this important file every hour. But if someone can just list all the files on my www folder anyway then people can take it without paying for it.
Any suggestions?
As long as you don't allow indexing of the directory then they can't obtain a file listing. To do that create a .htaccess file in the directory and add:
Options -Indexes
Alternatively, if the folder has an index page this will also prevent the server disclosing a directory listing and instead serve the index page.
if you have more than 5 gig host so use the php exec command to copy your file with another name
let say you keep your file with a unguessable name in a unguessable folder
so whenever the buyer confirm the order then you copy the file to a known folder with user-generated name, then pass the link to user
if your host is linux then use cp command if it's windows use copy
use something like cp oldname.ext newname.ext or copy oldname.ext newname.ext
after a certain time you will delete the file in the known folder
environment
---------codeigniter framework
----------document sharing, links to download the files
mission
--------------files are allowed to download
--------------the folder which contains the files are
not allow to be seen by the user
Here I want to prohibit the user from seeing that folder, if I type the folder address I see all the files, I want to deny it. but the inside file not deny accessible
thanks in advance
Put a .htaccess file in that folder. .htaccess files are used by the server to follow some set rules. You should create this file with a basic text editor such as notepad, but not MSWord or a wysiwyg editor.
Search your FTP, there might already be one, it might also be hidden so make sure you open the FTP with the option to see all files option -a.
In the retrieved or newly created file, put the line
Options -Indexes
This will disable folder listing, giving a "Forbidden" error.
Another option, is to simply put an index.html or index.php file in the folder, that way when typing the folder name as URL will serve the index page instead of the folder root. And it also allows you to display a user friendly error.
Personnaly, I use both options.
I am trying make a php script to list the files of a folder above my web directory...I follow a small thing I found here which talked about
a symlink pointing to /var/uploads
a Apache Alias directive Alias /uploads /var/uploads
I did both of these.
$myDirectory = opendir("/var/stuff/stuff/");
That directory there links to like when I go in winscp and click that folder it directs me to it....and when I run my script to list all files inside /var/stuff/stuff/ it lists what is in /home/stuff/stuff.
The thing is when I click the links that it produces I get a not found on the server
The requested URL /stuff was not found on this server.
Would someone please be able to assist me with this?
Since the files are not under the root directory, you will not be able to download them directly, but What you can use for this issue is to create a downloader gateway.
I'll explain:
create a php script somewhere in your app, lets call it downloader.php
the downloader script would get a parameter, lets say: filename
now we could call the script like: http://YOUR-URL/downloder.php?filename=file-to-download
in your downloader.php file you can get the file name, read it from the file system, then force it to be downloaded by out puting its content and configure the correct headers
I'm not sure if you still need that but, if you need more assistance I can help you more with some code samples
ideally you can use .htaccess to hide your downloader gateway script