Is it possible to send file from a local URL?
I need to upload files in php from your local url, eg I open the web page with:
www ... upload.php?url=c://...file.jpg,
from the url GET,I would get the file on the pc and would upload, without using html or anything else that I have to choose, just with the file url.
Important, it can only be this way, it will not be possible to choose the file during the upload, it will only be a POST or GET with the local url.
I researched and found nothing related, if anyone can help
I think it is impossible for server to get a client file by using the file path.
But maybe you can use JS and FileSystemobject to prepare the file, make it to streaming and post to the server.
And you must know FSO need a high security permission and may be disabled on users' browser.
Related
Unable to correctly use php code to load a video mp4 file stored in home directory.
Hi, I am building a WP site that sells instruction video mp4 files. To protect the files I have placed them in a directory called videos which is in the home directory (outside of the public_html directory) to protect the files from being downloaded for free. I am trying to write php code for loading the video. However, I can't access the video in /home/username/videos.
My code:
add_action('template_redirect', 'video_redirect', 5);
function video_redirect(){
if (is_admin())
return;
if (!is_page(videoplayerpageonmysite))
return;
$filename="/home/username/videos/videofile.mp4";
echo " Your browser does not support the video tag.";
Each time I run the code I get a No video with supported format... error.
I'm only able to get it to load the video file when it is in the public_html folder (it works perfectly then), but not when it is located in /home/username/videos/
Please help!
You can't give the browser a file path on your server's hard disk and expect it to be able to load it. It will resolve it as a relative URL, ask the HTTP server for it, and then get a 404.
You need to give the browser a URL that actually loads the file.
If you want to limit who can access it (e.g. people who have paid), then you could write a PHP program that checks to see if the request is coming from someone who has paid (i.e. Authentication + Authorization), then reads the file and outputs it in the HTTP response.
You have to use a PHP script as the source URL in the video tag and specify some identifier for which video it should load e.g. src="loadvideo.php?id=1" or something. (This is because the source must be a valid URL which is actually accessible on the webserver - the browser, which don't forget runs on the user's machine not the server, cannot navigate to a path on disk. If it could, then moving your files outside the public_html folder would not provide any security!)
And then when the video tag is loaded into the page, it will make a request to that URL, which causes the PHP script to run. The script must associate the provided ID with the correct file on disk, fetch the contents of that file and echo them as the response, along with appropriate headers (e.g. mime type etc). You can probably find examples of this pattern online already.
Of course the PHP script will also need to authenticate the request to make sure the requestor is a signed-in, paid user, otherwise you still aren't protecting anything. Without this last step, anyone could just visit the PHP script's URL and provide an ID until they got a result, and download the videos just as if you'd put them in the public_html folder. As long as you implement security correctly though, only users who already paid for the videos would be able to download them.
I am trying to download an object/ file from AWS S3 to the local computer. I would like to provide the user with the opportunity to provide the local path. In HTML we have the
<form> and <input type="file">
elements to provide the user with the option to select a file from the file system for upload. How do we do the reverse? Any pointers would be greatly appreciated.
You can't.
Being able to do so would risk websites trying to put stuff in /etc/hosts, ~/.bash_profile, C:\Windows\System32, etc. You can set a (suggested) filename, but it's going to go to the browser's preferred Downloads folder.
It's a security issue to write anywhere you want to the filesystem. You can present it as a download (application/octet-stream / Content-Disposition) but the user's browser gets the right to choose in the end regardless.
You can force a file to download instead of display on a page from the server with a specific filename only, but it stops there. The browser has the choice of popping up a Save As dialog or saving it in the default Downloads folder.
Incidentally, when a user chooses to upload a file, you don't actually get the path either - you get a fake path and a user-defined real filename. On Windows Chrome, it sends something typically like c:\fakepath\ so it doesn't reveal overly-personal information in the path.
I am currently trying to retrieve a file from an FTP-Server in order to make it accessible for the user to download. ftp_get() writes it to a path on the local machine, yes, but what I want is that it also shows up in the download history and counts as "normal" download from the internet but I didn't figure out how to do this yet. I also tried to link directly to the file in PHP with header("Location: ftp://username:password#ftp.server.com/myfile.file") but this was resulting in the browser showing the files contents (which I didn't want). Did I miss any header-Parameters ? Or is there a completely different way to do this ?
You won't be able to "redirect" a user to a file so he can download it using FTP. This is a HTTP-thing. Browsers provides FTP features and make it look like HTTP but, in fact, those are different stuff.
If this file is only accessible through FTP and it is on a remote server, the only way I can imagine so you cand 'redirect' this download to the user is:
Download the file from the FTP to your application server through FTP in PHP;
Send it to the user using PHP and appropriate file headers, something like this: https://stackoverflow.com/a/7263943/2802720
Hope it helps.
I have a CDN that is storing media files. Each file I want to store as just the ID number of the file in the data so, file.zip = 4423342 on the server. The problem is, the CDN does not allow php or any form of programming. How can I make it so I have a local file that is used to set the headers and let me change it so when they download a file from the CDN it downloads as file.zip instead of 4423342. Now I know this is simple if the file is stored on the same server as the file that sets the headers.
Thanks!
If your CDN doesn't allow you to set the name/headers of the stored file, you cannot do it on your server. The user gets directed to the CDN server, and you can't "inject" anything into that connection.
I would look into looking up the options your CDN does offer.
For example, you might be able to append something like /file.zip to the end of the CDN url, and still get the correct file.
That is – if the CDN url is http://cdn.example.com/113312, maybe http://cdn.example.com/113312/file.zip works as well.
I am trying to secure my PHP Image upload script and the last hurdle I have to jump is making it so that users cannot directly excecute the images, but the server can still serve them in web pages. I tried changing ownership and permissions of the folders to no avail, so I am trying to store the images above public_html and display them in pages that are stored in public_html.
My File Structure:
- userimages
image.jpg
image2.jpg
- public_html
filetoserveimage.html
I tried linking to an image in the userimages folder like this:
<img src="../userimages/image.jpg">
But it does not work. Is there something I am missing here? If you have any better suggestions please let me know. I am trying to keep public users from executing potentially dangerous files they may have uploaded. Just as an extra security measure. Thanks!
You want something that's basically impossible.
The way a browser loads a page (in a very basic sense) is this:
Step 1: Download the page.
Step 2: Parse the page.
Step 3: Download anything referenced in the content of the page (images, stylesheets, javascripts, etc)
Each "Download" event is atomic.
It seems like you want to only serve images to people who have just downloaded a page that references those images.
As PHP Jedi illustrated, you can pass the files through PHP. You could expand on his code, and check the HTTP_REFERER on the request to ensure that people aren't grabbing "just" the image.
Now, serving every image through a PHP passthru script is not efficient, but it could work.
The most common reason people want to do this is to avoid "hotlinking" -- when people create image tags on other sites that reference the image on your server. When they do that, you expend resources handling requests that get presented on someone else's page.
If that's what you're really trying to avoid, you can use mod_rewrite to check the referer.
A decent-looking discussion of hotlinking/anti-hotlinking can be found here
Use an image relay script!
To serve a imagefile that is outside the public_html folder you would have to do it by a php script. E.g make a image-relay.php that reads the image that is outside the public html...
<?php
header('Content-Type: image/jpeg');
$_file = 'myimage.jpg'; // or $_GET['img']
echo file_get_contents('/myimages/'.$_file);
?>
Now, $_file could be a $_GET parameter, but its absolutley important to validate the input parameter...
now you can make an <img src="image-relay.php?img=flower.jpg"> to access a flower.jpg image that is located in /myimage/flower.jpg ...
Well, a web browser will only be able to access files and folders inside public_html.
If the public_html directory is the root of the server for your users, Apache cannot serve anything that is not inside/below that dorectory.
If you want a file to be served by Apache directly, you'll have to put it in/below public_html.
I think your misunderstanding is in the fact that if you include an image in an <img> tag, your browser will send the exact same request to the webserver to fetch it, that will be sent to the webserver if you try to open the src url of the image in your browser directly.
Therefore, either both things work, or neither.
There are hacks around, involving a (php or other) script to make sure that an IP that has requested the image has also requested the html page within the last few seconds (which will not work if the user is behind a proxy that rotates outgoing IPs) or by checking the referer (which does not work with HTTPs and also not if the user has referer disabled).
If you want to make sure that only some users can see the image (both via <img> tag and directly), you can put the image outside public_html and have a (php or other) script that verifies the user's credentials before serving the image.
If you are using Apache or lighttpd you can use the X-Sendfile header to send files that are not in the web root(provided you haven't changed the configuration of mod_xsendfile).
To learn more about X-sendfile see this site.
This solution is giving you the best possible performance as PHP doesn't send the file but the server does and therefore PHP can be exited while the files are being served.
Hope that helps.