My website is build in PHP and i integrated stripe payment. If user payment through stripe is successful then i need to open a PDF file which is hosted
on same server where code is running.
Below is the code i am using to open PDF file:
$file = 'test.pdf';
$filename = 'test.pdf';
header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="' . $filename . '"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));
header('Accept-Ranges: bytes');
#readfile($file);
I don't want test.pdf file to be accessible directly. So if i change permissions of test.pdf to 777 then code runs and opens PDF file but it also enable anyone to open file through direct link. If i change permissions so that access to this file is restricted to code files then it is not opening the pdf file. How can i achieve this so that PDF file can be opened after successful stripe payment but not through direct URL.
You can prevent the direct access of the file by a .htaccess (or vitual host configuration) with a 'Deny from all'. The 'readfile()' will work if the server user (www-data for example) has the read and execute rights on the pdf
Related
i have create a website in my localhost using php and i put a htaccess file within my picture folder to prevent direct access to the file through the browser. in htaccess i put this Deny from All to protect my picture folder, it does prevent me from accessing the file in the folder if i type the direct link to the file in my browser but when i use php force download and set the path to the folder and the file name my computer could still download it. how can i prevent this from happening??
this is the php code
<?php
$path="picture/check/";
$filename = "checks.png";
$actualfilename=$path.$filename;
$fakefilename="checks.png";
$num = 1;
if( $num == 1 ){
#readfile($actualfilename);
header('Content-type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $fakefilename . '"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($actualfilename));
header('Accept-Ranges: bytes');
exit;
}
and the folder is located in this folder
from website experiment 1
htdocs/experiment1/index.php/picture/checks.png
i can download checks.png using the code above if i put it in the index.php
but i could still download the check.png even from a different folder
htdocs/downloads.php (it contains the php folder above but with path:/experiment1/picture/checks.png)
this mean that when my website is online people could just create a php file and then he/she can give download the file in picture folder if they know the path to the actual file. i want to know how i can prevent this from happening i have tried using htaccess command Deny from all but it does not block php file from downloading it only block access if put the link in the browser please help its important
I have a set of tar.gz files inside a folder protected against http access via .htaccess. I wish to allow direct curl downloading of these files via http. I have done this to things like images by setting the header information to something like:
$file='/some/file/protected/by/htaccess.png';
header("Content-type: image/png");
readfile($file);
My question:
Is there a way to provide direct access to these tar.gz files in a similar manner to the way I did it with images?
The reason I would like to do it in this way is that I would like to control access to which users can access these files by our site's login system.
Edit: as pointed out by Machavity, my code was pointing at a jpg, and had a png header.
For tar.gz
$filename = 'path/to/your/file.tar.gz';
header('Content-Type: application/x-compressed');
header("Cache-Control: no-store, no-cache");
header('Content-Disposition: attachment; filename="' . basename($filename) . '"');
header('Content-Length: ' . filesize($filename));
readfile($filename);
I have a code which force download a pdf file. Code below
$file_name = 'Bv_Ebook.pdf';
$file_url = 'http://' .$_SERVER['HTTP_HOST'].'/sites/default/files/'. $file_name;
header('Content-Type: text/html');
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename=\"".$file_name."\"");
readfile($file_url);
This code works on our beta server and the pdf is downloaded and can be opened.
On our live server same code downloads the pdf but pdf file cannot be opened, it says:
Unable to open document
File type plain text document (text/plain) is not supported
I have gone though force download pdf and apache headers setting but nothing seems to work.
Any idea what could be the issue?
Check file permission using is_readable() to check if the file is accessible or not. If accessible then check below :
Can you please try to modify your headers to the following:
//We'll be outputting a PDF.
header('Content-type: application/pdf');
//PDF name.
header('Content-Disposition: attachment; filename="'.$file_name.'"');
Then do a file read or what ever, in my case I have used file_get_contents(file_path) + echo to display the content and worked as a charm.
Hi i have a problem with making a safe upload folder in a project.
The thing is that we have a file upload that everyone should be able to upload files to, but only the site administrator the site should be able to view the files later.
Is it possible making a folder non readable, but accessible from a php page?
The server is a linux inviroment
There's actually several ways to do this.
Apache configuration (you may restrict access to certain directory by IP security, or HTTP authorization), see: allow,deny and apache authentification
Save files to directory which is not accessible via website and write your own php directory listing and file download, via readfile
Upload file to directory which will be accessible only via "secret" ftp/sftp.
The simple answer to this is to place the files in a directory outside your web root, and built a page to view the directory that requires an administrator auth to access.
If the files are outside your web root, they cannot be directly accessed with a /path/to/file.ext type URL.
In cases like this, I would locate the folder outside the document root, or restrict it's access via Apache directives.
Then, using the PHP and checking access credentials, output the file using readfile()
Here is an example from the manual
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
?>
I'm trying to create a file download page. This page when requested should prompt the user to download a file. Here is the source code for the page:
<?php
header('Content-disposition: attachment; filename=zip.zip')
header('Content-type: application/zip');
readfile('zip.zip');
?>
This works ok.
The problems starts when I want to move the file zip.zip from the folder where this script is in. I tried using relative and absolute URLs but I always get strange results,
the browser still prompts for file download but somehow it's just an odd file name converted from the URI I supplied somthing like ".._.._files_zip.zip instead of ../../files/zip.zip.
Any suggestions why this happens?
Thanks
Use basename to get just the file name:
$file = '../../files/zip.zip';
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Type: application/zip');
readfile($file);