i have create a website in my localhost using php and i put a htaccess file within my picture folder to prevent direct access to the file through the browser. in htaccess i put this Deny from All to protect my picture folder, it does prevent me from accessing the file in the folder if i type the direct link to the file in my browser but when i use php force download and set the path to the folder and the file name my computer could still download it. how can i prevent this from happening??
this is the php code
<?php
$path="picture/check/";
$filename = "checks.png";
$actualfilename=$path.$filename;
$fakefilename="checks.png";
$num = 1;
if( $num == 1 ){
#readfile($actualfilename);
header('Content-type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $fakefilename . '"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($actualfilename));
header('Accept-Ranges: bytes');
exit;
}
and the folder is located in this folder
from website experiment 1
htdocs/experiment1/index.php/picture/checks.png
i can download checks.png using the code above if i put it in the index.php
but i could still download the check.png even from a different folder
htdocs/downloads.php (it contains the php folder above but with path:/experiment1/picture/checks.png)
this mean that when my website is online people could just create a php file and then he/she can give download the file in picture folder if they know the path to the actual file. i want to know how i can prevent this from happening i have tried using htaccess command Deny from all but it does not block php file from downloading it only block access if put the link in the browser please help its important
Related
My website is build in PHP and i integrated stripe payment. If user payment through stripe is successful then i need to open a PDF file which is hosted
on same server where code is running.
Below is the code i am using to open PDF file:
$file = 'test.pdf';
$filename = 'test.pdf';
header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="' . $filename . '"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));
header('Accept-Ranges: bytes');
#readfile($file);
I don't want test.pdf file to be accessible directly. So if i change permissions of test.pdf to 777 then code runs and opens PDF file but it also enable anyone to open file through direct link. If i change permissions so that access to this file is restricted to code files then it is not opening the pdf file. How can i achieve this so that PDF file can be opened after successful stripe payment but not through direct URL.
You can prevent the direct access of the file by a .htaccess (or vitual host configuration) with a 'Deny from all'. The 'readfile()' will work if the server user (www-data for example) has the read and execute rights on the pdf
I'm using the following to force download of MP3 files:
http://www.aaronfagan.ca/blog/2014/how-to-use-php-to-force-a-file-download/
Basically using PHP lines to force a download
<?php
if ($_GET['id']) {
$file = $_GET['id'];
header("Content-Description: File Transfer");
header("Content-Type: application/octet-stream");
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header("Content-Length: ".filesize($file));
readfile($file);
}
else {
header('Location: http://www.mywebsite.com/error/');
}
?>
Am I correct to understand that anyone that knows how it works could basically download any files on any website with this?
For example, if I place that file in the root of mywebsite.com, anyone with knowledge could use a link like the following to download any file anywhere?:
http://www.mywebsite.com/download.php?id=http://www.anywebsite/files/file.pdf
Or would it only work on my website?
The files I want users to be able to download are MP3 files, would there be a way to "restrict" the type of files the "download.php" would process? so this way the "Content-Type" be set to something for only MP3 files, this way the "hack" would be restricted?
For example if I place that file in the root of mywebsite.com, anyone
with knowledge could use a link like the following to download any
file anywhere?:
http://www.mywebsite.com/download.php?id=http://www.anywebsite/files/file.pdf
If permissions open for http://www.anywebsite/files/file.pdf (it means you can open/download file.pdf with browser) you can download it remotly with your script (but as I now basename uses for local paths),
but usually permissions denied for direct download (you can close permissions too).
Also if you want you can add captcha to your download method to disable grab
Thanks.
Your code works only on your website.
For serving resources from other servers you can use this script Resource-Proxy.
Good Luck
Hi i have a problem with making a safe upload folder in a project.
The thing is that we have a file upload that everyone should be able to upload files to, but only the site administrator the site should be able to view the files later.
Is it possible making a folder non readable, but accessible from a php page?
The server is a linux inviroment
There's actually several ways to do this.
Apache configuration (you may restrict access to certain directory by IP security, or HTTP authorization), see: allow,deny and apache authentification
Save files to directory which is not accessible via website and write your own php directory listing and file download, via readfile
Upload file to directory which will be accessible only via "secret" ftp/sftp.
The simple answer to this is to place the files in a directory outside your web root, and built a page to view the directory that requires an administrator auth to access.
If the files are outside your web root, they cannot be directly accessed with a /path/to/file.ext type URL.
In cases like this, I would locate the folder outside the document root, or restrict it's access via Apache directives.
Then, using the PHP and checking access credentials, output the file using readfile()
Here is an example from the manual
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
?>
Lets say I have a plain text file example.txt and I have a PHP script on my web-server readfile.php.
What I want to be able to do is to prevent users from typing http://www.example.com/example.txt and looking at the text file directly but I still want people to be able to load http://www.example.com/readfile.php which reads from the file example.txt and does something with it (possibly displays the contents of the file).
Also, if this can be done, what is the best way to do it?
Yes, this is easy to do.
There are two main ways to stop users from accessing example.txt. The first is to put it in a folder outside your web folder (Usually called www or public_html), the second is to put a .htaccess file in the folder with your example.txt script which blocks access to the file altogether. The .htaccess would look like
<files "example.txt">
deny from all
</files>
But you could change example.txt to something like *.txt if you wanted to block all .txt files in the folder.
Then you can use file_get_contents() in your readfile.php to get the contents of the text file, or if you just want to output the file you can use readfile
Just store the files you don't want publicly accessible outside the webroot.
/home
example.txt
/www
readfile.php
If /home/www/ is your public webroot folder, any file above it is not accessible through the web server. readfile.php can still access the file perfectly fine at ../example.txt though.
If you need to store the files in the webroot, then put the files in a folder and deny access to that folder. If you are using apache, make a .htaccess file in the folder and type in deny from all
I've done something similar where the files contain extremely sensitive information and I only want validated users to be able to retrieve the file through an HTTPS connection.
What I did was this:
I put the files in a directory path that is outside the scope of what the web server (Apache, for me) can see. Therefore, there are no possible URLs that will result in the file being served up directly by the web server. Then I created a script that allows users to login, click on the file they want, and then the PHP script reads the file, puts the appropriate headers, and then streams the file to the user's computer.
Of course, the script that shows the user the list of files and the script that streams the file out to the user must have at least read access to the files in the path where they are being stored.
Good luck!!
You can put the file "example.txt" outside of the public folder and read from readfile.php like $content = file_get_contents("../example.txt");
You can call a file like this and the people don't see the filename:
<?php
$file = 'example.txt';
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
?>
(source: php.net)
Would that work for you?
Quick hack - rename your file to ".cannotReadFileWithDOT". he server will close reading files with a dot at the beginning of the name, but your scripts will be able to read them. The plus is that the apache and nginx servers out of the box are configured to prohibit reading files with a dot at the beginning of the name.
I'm trying to create a file download page. This page when requested should prompt the user to download a file. Here is the source code for the page:
<?php
header('Content-disposition: attachment; filename=zip.zip')
header('Content-type: application/zip');
readfile('zip.zip');
?>
This works ok.
The problems starts when I want to move the file zip.zip from the folder where this script is in. I tried using relative and absolute URLs but I always get strange results,
the browser still prompts for file download but somehow it's just an odd file name converted from the URI I supplied somthing like ".._.._files_zip.zip instead of ../../files/zip.zip.
Any suggestions why this happens?
Thanks
Use basename to get just the file name:
$file = '../../files/zip.zip';
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Type: application/zip');
readfile($file);