I want to create file sharing platform but php has some bug about it.I just use fread to get text of any file (exe,pdf,docx,ppt and etc) then I create text file with random name and with .txt extension.So when user want to download this file ,I create random folder and inside of that folder I create file which has same text that user want to download , and then I give extension which is same as user uploaded version of file and force user to download it.
But when user download file,for example zip file and then if user wants to open , it says failed to open because not supported format.This happens when I try to do this with docx,pdfs,zips and that kind of files (not txt,html,css,c files).
Example : I force the user to download with same extension that he uploaded, for example if user uploaded zip file,I read the text with fread then save this text in the db or text file,and then if user wants to download that file, I just create file and give it zip extension, then force the user to download it,but once user upload this file then if user want to open it fails, but it should open zip file because content text of this file is exact same as user uploaded to the server
Answer should contain:
1)Why this happens?How to fix it?
2)What is the ideal solution?
3)is it safe to do this?
This happens, because windows knows the app to open file file just from the extension. If you rename the file to something.txt, then the editor always wants to open it.
There's no such thing as an ideal solution. A soltution would be to store the file with the original name (maybe at some unique part to prevent duplicates) in a non public readable directory without execution bit set. To access the file, you could create a proxy script, which returns the file and appens a should download header (and maybe the original filename).
Its as safe, as you implement it. Your current solution could be safe, the solution I posted could be safe - but without knowing the details, how you implemented it, nobody knows, if it is actually safe.
It happens because you are opening binary files like a zip file and storing it in a text file then streaming it with the zip extension again.
The ideal solution would be to use one of the 1 million open source file managers out there with proven records and big developer communities. But if for some reason you want to build your own, save the files in a safe folder outside your public folder. store the path in a database of choice together with the public path you will show your users. Upon request use the public path to map to the private path and start the download yourself.
Is as safe as you make it, but nothing is 100% safe so if you are storing sensitive data use something that is well build and documented
Related
So essentially I want to insert the Path into my Database, as a string, I am not interested in uploading it - I just want local users to browse to the file then submit the form and the path to the file is added as a string. So when I echo this out into a url, people on the network can click the link to download it from the network location.
$location = fopen($_FILES["location"]["tmp_name"], 'r');
I've tried the above but I guess the file needs to be uploaded for it to get the path.
Any ideas?
Unfortunately PHP will not help you with this as it requires you to actually upload the file.
Likewise, as was mentioned in the comment you are not able to get the local file path either from the form. This is a browser standard and is done for security purposes. You can read more about it here: https://stackoverflow.com/a/4176605/8518859
The only solution in your case is to provide a text input and ask the user to paste the network path to the file. Perhaps if you provide them simple instructions on how to get the network path it will make their task easier.
I have a recursive function which generates about 200.txt files. I am running this application on a local server.
Basically, the front end just has a file upload field, which you just choose a .csv, which it then generates all the .txt files from that, but rather than saving them on the wamp server, is it possible to save them in a specific location?
Example, if I put another field in my front end called 'fileLocation', and the user types in the pathname.
Obviously i'd have to check if it's a directory etc, but is this possible to say save all the files on:
/Volumes/computer/Users/username/Desktop/test/
I'm not sure where to proceed with this.
No, is not possible to access computer files this way by using a localhost. You could zip all files and make the browser download them. Like is described here
I have to check the Content of a zip/rar file before uploading to the server.
Let me explain the scenario.
There are 2 types of users in my web project:
1: Normal Registered user
2: Administrator of the Project
Any Registered user can Create Pages on our Project,also they can create Themes For Pages.
Here one of us suggested a feature that to upload the Theme as theme pack [Compressed in Zip/Rar File].
If it is a Administrator then it is ok,there is no more security constraints.
But i am afraid in the case of Normal Registered Users.
My Problems are :
Assume that a Registered User uploading a theme pack that contains some malicious Files [Including PHP file] that may hurt the system.
I know that it is posible to check the Contents after upload,but what will happen if the use executed the File before that?
Ex : a user uploading a theme pack : contains some PHP codes & other large files,First our system will extract the content of the Theme Pack: Assume that the extraction of large files takes some time,and the smaller PHP file already extracted.So that the user can RUN the PHP file First.
The above one is my noob soubt,Actually i dont know other sides.
Please help me to figure out this problem.
Is it possible to upload the ZIP file in a secure manner ?
You won't be able to check this client side unless, of course, you had some kind of plugin (for all browsers) that did the checking/uploading for you. You'll have to handle this on the server side.
Also, Admins can upload viruses just as easily as non-admins. Some user's don't even know their machine has more viruses than a shanty-town brothel.
EDIT: Also, how is the user going to execute their PHP file on your server before you've checked it unless you run that php file? This sounds like a recipe for disaster anyway. All it will take is for something to slip through the cracks and a malicious user will destroy your site. Allowing normal people to upload executable script to your server is asking for serious trouble.
Unpack it in directory, which can't be reached through the web, check, then move back to web-folder, where it should be.
Assuming that you have your website in directory /var/www/website and user content goes to /var/www/website/user and is reachable through www.website.com/user/ :
Create temporary dir in /tmp unpack there, check, move to /var/www/website/user
If you don't have access to /tmp, you can create /var/www/website/tmp and prohibit access to it using your server settings
you can create a folder for putting the zip file and unzip.
and disable the php execute for the folder. that can solve your problem
Is there any way to upload multiple files using a single file?...basically i want to upload multiple pdf files at once, using one single file that contains the path to each one of the pdf files...and store the information to mysql database...
PS: i dont want to merge all the files into 1 huge pdf...i want each 1 of pdf file to be uploaded to server dir at once and then store the file info to database eg. path, file info, filename for later use..
In order for a file to be uploaded, the user has to select that file manually. It's a security measure (otherwise websites could examine arbitrary files on your computer without your knowledge, which would be bad).
No - Because it would break the Javascript sandbox model (i.e. would be a security problem).
For security concern, it's hard to do this by javascript, which means you will have the access to others local files.
Why not just pack them up into a zip file then unzip on the sever side?
I have a problem regarding to prevent download and saving of uploaded files.
My users can upload multiple files types like doc, pdf, ppt,etc....
This all file types are easily download if any one have url.
So what is the better way to prevent the download of the file.
Or i convert the uploaded files to some specific format which can not download easily (e.g flash)..
I am running on php and mysql.
Thanks
Avinash
You have two options in this regard. The first is to move the files, through a PHP script, to a server-side folder outside of the server's web directory. The second is to store the files in a BLOB column in a MySQL table. Both will prevent users from accessing the files directly, without the need to convert the file to a not-so-easily-downloaded format.
Upload the files outside of your document root. For example:
/var/username/uploads/file.docx
where your document root is
/var/username/public_html/index.php
So they can't be accessed directly. And then if you want to allow downloads, create a PHP file called "download.php" that does something similar to:
$data = file_get_contents('/var/username/uploads/file.docx');
header('Content-Type: application/docx');
header('Content-Length: '.strlen($data));
header('X-Content-Type-Options: nosniff');
echo $data;
and obviously you can add checks to see if the user has the proper permissions to download this particular file or is logged in.
A solution can be to set a user and a password to the upload folder, so only the users that know authentification details can download files.
Check next link for learn how to make htpasswd files on your server folders:
http://httpd.apache.org/docs/1.3/programs/htpasswd.html