When I create a TXT file with fputs(), usually it goes into the "downloads" directory, set in the browser settings. The question is how do I get the directory path of the downloaded file.
$archivo="customers.txt";
$file = fopen($archivo,"wb");
fputs($file,$contenido);
fclose($file);
header('Content-type: text/csv; charset=ansi');
header("Content-disposition: attachment; filename=$archivo");
print $contenido;
Simply put, the server is never allowed to know because the browser will never report it back. Doing so could lead to the browser leaking private information about the user without that user's consent.
Additionally, the server cannot force a user to save a file to a specific location. Again, this is for security reasons. Otherwise a server could force you to save a file to your computer's startup location.
Related
Im using fopen to let users download a audio in the code below as the code attribute doesn't always works in all situations and browsers.
Does this downloads the file to my server temporarily or lets the user download it from the external sourced
<?php
$file=fopen('link','r');
header("Content-Type:audio/mp4");
header("Content-Disposition: attachment; filename='example.m4a' ");
fpassthru($file);
?>
All the data will be read (from wherever the file handle points) by your PHP program on your server. That may involve copying data from a remote URL to your server. That data may exist entirely in RAM. It may hit swap space on the disk.
The PHP program then outputs it to the browser.
The browser never has direct access to 'link'.
Suppose I have a device that knows the name of a file they want to download from my server.
How can I transfer said file to that device without giving the device access to the file system?
For example, suppose I have a page ping.php which receives a get request for "something.zip"
ping.php knows the location of something.zip (somewhere on the server's file system), but I can't allow the user access to the file system, or allow them to know the location of the file (it even needs to be hidden from somebody using something like wireshark).
How can I solve this problem?
It might be an easy solution, I'm just not extremely well versed in these matters.
If it makes any difference I'll be using an Apache server on a Linux box.
You can create a PHP script to facilitate the file transfer while the file is sitting in a folder that is not accessible via the Web. This is how I commonly handle file downloads on my system.
There are any number of sample scripts that you may use to do the actual file transfer. The key is to put that file outside the web-accessible file system.
For completeness, here's some code I've used in the past to do a file download in PHP:
$filename="filetodownload.xyz";
$cf = realpath("/non-webaccessible-folder/".$filename);
$file=$cf;
header('Content-Disposition: attachment; filename="' . basename($cf) . '"');
header("Content-Length: " . filesize($cf));
header("Content-Type: application/octet-stream");
readfile(realpath($cf));
I made an upload form and stored files in (root) '../upload_file' folder
the problem is how authorized (logged in) user only can download that uploaded files? because browser cant handle root url like: www.web.com/../upload_file/test.pdf
please Im newbie
thanks :D
Ok, I want make this clear. Actualy my question is similar to: How to go about protecting files from unauthorized downloads
where is unsolved
You need to create a php script that will authenticate the user and then output the contents of the uploaded file in the php script. Make sure you do not echo anything out before setting the headers of the output file. There should be code somewhere on how to load the contents of a file into a variable.
$fileContents = file_get_contents("test.pdf");
header("Cache-Control: public, must-revalidate");
header("content-disposition: attachment; filename=test.pdf");
header("content-type: application/pdf");
header("content-length: " . strlen($fileContents));
//output file contents
echo $fileContents;
The users should never have access directly to the upload folder.
Access control depends on your server operating system and server, like Windows Server(IIS) or Linux(Apache, Ngix)...
The best way to protect the files from being visted from URL is to set the upload path outside your webroot.And the file will be only accessiable by your server.
UPDATE: how to access files by user
Create a php file named readpdf.php.
header("Content-type:application/pdf");
//if you just want to show the file on broswer, delete the line below
header("Content-Disposition:attachment;filename='downloaded.pdf'");
readfile("progit.pdf");
Read the file by visiting http://localhost/readpdf.php
I'm making a website that allows users to upload any kind of files. All the files are stored in a 'files/' folder. I want users to be able to see and download any of the files in that folder, but not execute them.
Some files, like JPG files, are easy: browsers have a built in system to display them, as we all know.
Other files, like PDF files, cannot be displayed directly, so what browsers do is prompt the user a download screen. Thats fine too.
However, other files, like PHP files, pose a problem. When I open one such file, if I am not careful, it gets executed. For example, if the file contains
<?php echo 'ok'; ?>
then when I go to 'files/myphpfile.php', what I see is just 'ok', and not the contents of the file. This will happen not only with PHP files, I presume, but also with any other file types that my server can execute (for example ASP files, I suppose).
What I need is to prevent users from executing the files, so that when they go to 'files/myphpfile.php', they either see the file contents, or the browser prompts them the download screen. Ideally it would be a general solution, that would not require me to construct a list of every file type executable by the server.
To me, the most reasonable approach was to set the file permissions to 644, so that users could only read the files. But after doing so, the PHP files keep getting executed.
To download:
header('Content-Type: text/plain');
header('Content-Disposition: attachment; filename=somefile.php');
header('Pragma: no-cache');
readfile('/path/to/somefile.php');
To display:
echo htmlspecialchars(file_get_contents('/path/to/somefile.php'));
UPDATE
When I open one such file, if I am not careful, it gets executed
That's why you don't have a direct link to the file. I.e. the files should not get uploaded to a location somewhere inside the document root. If the files are uploaded to a directory outside the document root people cannot access it directly by URL, e.g.: http://example.com/files/somefile.php.
This will happen not only with PHP files, I presume, but also with any other file types that my server can execute (for example ASP files, I suppose).
You are the only one who can tell what files may be dangerous. We cannot know whether you have some server which also serves (and parses) asp files nor what other potential dangerous files may be on there.
What I need is to prevent users from executing the files, so that when they go to 'files/myphpfile.php', they either see the file contents, or the browser prompts them the download screen.
See my already provided solutions above.
To me, the most reasonable approach was to set the file permissions to 644, so that users could only read the files. But after doing so, the PHP files keep getting executed.
This is because PHP files are not getting executed. They are only being parsed (i.e. being read by the webserver).
So basically you need to find out what are the possible dangerous file types (also think about other files that may get parsed by PHP e.g. .phtml or what not). Users shouldn´t be able to call executables anyway through a HTTP request. Because when I would do http://example.com/run-virus.exe it never gets executed on the server, but it only requests the file.
I solved the problem by displaying the files through a script, and not directly from their real location. The script was taken from an answer to a previous question of mine.
$fileinfo = finfo_open( FILEINFO_MIME_TYPE );
header( 'Content-Type: ' . finfo_file( $fileinfo, 'files/' . $filename ) );
finfo_close( $fileinfo );
readfile( 'files/' . $filename );
So now users that want to see 'files/myfile.php' must go to 'open/myfile.php', and the script above will prompt them the download screen, or display the file in the browser, if the browser is able to do so.
I'm building a script that will save an image from the web to the user's computer. This is what I've learned, so far:
$url = 'http://example.com/my-image.jpg';
$img = '/my/folder/my-image.jpg';
file_put_contents($img, file_get_contents($url));
Is this the right way to do this? If so, how would I get the path to, say, the downloads folder, in the user's machine?
You can't. The Downloads folder is a browser-specific location that only the user has control of. The file will download to the folder that is specified by the user.
Use readfile along with header to force a Save As... dialog to appear.
<?php
header('Content-disposition: attachment; filename=image.jpg');
header('Content-type: image/jpeg');
readfile('/server/path/to/image.jpg');
?>
If so, how would I get the path to, say, the downloads folder, in the user's machine?
You can't store contents on the user's computer this way, only on your local server.
You need to serve the file as a download, which the user can then "Save as..." in their browser.