I have a wordpress site where people buy access to downloads through the woocommerce plugin.
There are usually several thousand downloads for each order and I have found woocommerce to be inefficient when handling large amounts of downloads.
The download files are like this
product1_date.pdf
product2_date.pdf
etc...
I can't change this
I need a PHP solution which
Admin can upload files to a directory via FTP
Users who buy a product can download them in their download area
Users cannot access files for products they haven't purchased by guessing the filename
1 and 2 I can handle, but how do I prevent 3? Is there a way I can set file permissions to only be read by a specific user who has purchased? Or would is it possible to make the directory writable by everyone (so they can be uploaded) but the files only readable by apache and serve the files to the user some other way?
First, you must stop hotlinks!
After, you create a downloader file contain of downloader function. This's parameters is file mime-type, file name, file url etc... Users can only download with this downloader file. Function is first control users access, after accept user want or not accept. RETURN
Related
i am using read file function to allow users to download files through a php page and i am blocked direct access to files with htaccess.but the problem is the files can't be downloaded with download managers like IDM and it says:"This site doesn't allow you to request twice for file ".
i am looking for a way to output the file to user and also let him use download managers!
I have a 2.5GB file that I want to allow users to download after they buy it. I originally planned on hiding the file and then just using readfile to dump the file's contents with .zip headers but my GoDaddy server apparently won't allow me to use readfile on such a large file, so I'm stuck with changing the name of this important file every hour. But if someone can just list all the files on my www folder anyway then people can take it without paying for it.
Any suggestions?
As long as you don't allow indexing of the directory then they can't obtain a file listing. To do that create a .htaccess file in the directory and add:
Options -Indexes
Alternatively, if the folder has an index page this will also prevent the server disclosing a directory listing and instead serve the index page.
if you have more than 5 gig host so use the php exec command to copy your file with another name
let say you keep your file with a unguessable name in a unguessable folder
so whenever the buyer confirm the order then you copy the file to a known folder with user-generated name, then pass the link to user
if your host is linux then use cp command if it's windows use copy
use something like cp oldname.ext newname.ext or copy oldname.ext newname.ext
after a certain time you will delete the file in the known folder
I have a client whose downloadable Magento products are videos that need to be both available for download, and be playable from the "My Account" area. I have everything set up correctly, but the Flash video player cannot access the files via the direct path, even though permissions are set to 777 for all of the files in the /media/downloadable/files/links/* area.
I realize that this is intentional on Magento's part as a security issue, but how can I override it? I didn't see anything in the .htaccess file that indicated that file permissions were being restricted, but perhaps I missed it somewhere.
Direct access to the downloadable files is blocked in media/downloadable/.htaccess :
Order deny,allow
Deny from all
I have to check the Content of a zip/rar file before uploading to the server.
Let me explain the scenario.
There are 2 types of users in my web project:
1: Normal Registered user
2: Administrator of the Project
Any Registered user can Create Pages on our Project,also they can create Themes For Pages.
Here one of us suggested a feature that to upload the Theme as theme pack [Compressed in Zip/Rar File].
If it is a Administrator then it is ok,there is no more security constraints.
But i am afraid in the case of Normal Registered Users.
My Problems are :
Assume that a Registered User uploading a theme pack that contains some malicious Files [Including PHP file] that may hurt the system.
I know that it is posible to check the Contents after upload,but what will happen if the use executed the File before that?
Ex : a user uploading a theme pack : contains some PHP codes & other large files,First our system will extract the content of the Theme Pack: Assume that the extraction of large files takes some time,and the smaller PHP file already extracted.So that the user can RUN the PHP file First.
The above one is my noob soubt,Actually i dont know other sides.
Please help me to figure out this problem.
Is it possible to upload the ZIP file in a secure manner ?
You won't be able to check this client side unless, of course, you had some kind of plugin (for all browsers) that did the checking/uploading for you. You'll have to handle this on the server side.
Also, Admins can upload viruses just as easily as non-admins. Some user's don't even know their machine has more viruses than a shanty-town brothel.
EDIT: Also, how is the user going to execute their PHP file on your server before you've checked it unless you run that php file? This sounds like a recipe for disaster anyway. All it will take is for something to slip through the cracks and a malicious user will destroy your site. Allowing normal people to upload executable script to your server is asking for serious trouble.
Unpack it in directory, which can't be reached through the web, check, then move back to web-folder, where it should be.
Assuming that you have your website in directory /var/www/website and user content goes to /var/www/website/user and is reachable through www.website.com/user/ :
Create temporary dir in /tmp unpack there, check, move to /var/www/website/user
If you don't have access to /tmp, you can create /var/www/website/tmp and prohibit access to it using your server settings
you can create a folder for putting the zip file and unzip.
and disable the php execute for the folder. that can solve your problem
I have read the following tutorial "Uploading Files To the Server Using PHP"
and have several questions related to the topics.
Q1> The tutorial mentions that
"Note that PHP must have write access
to $uploadDir or else the upload will
fail"
For me, I only allow the user to upload the file after the user has login to the website.
If we set that $uploadDir permission as 777, then everyone can have written permission to that folder. How to avoid this problems?
Also I am using WAMP as my testing bed, can I simulate the same case as a real web server?
Q2> In order to prevent Preventing direct access, the tutorial mentions:
"A better approach is to move the
upload directory away from your web
root. For example, the web root for
this site is:
/home/arman198/public_html/ to prevent
direct listing i can set the upload
directory to /home/arman198/upload/."
Now my problem is that how can I display the uploaded images on other website pages. Since, the upload is not accessible directly anymore? I need to display the uploaded image save personal headshot dynamically on other website page. Is it possible?
Thank you
It's a common problem.
All modern computers have a temporary files directory. On Linux/Unix it's /tmp, on Windows it's usually c:\temp. The OS install will have set permissions on that directory so that anyone can write files there but only privileged users can delete files that don't belong to them. This is where PHP will want to put an uploaded file; your application then has to move it elsewhere (this is the purpose of the move_uploaded_file() function). PHP under Windows may need upload_tmp_dir actually set in the php.ini file.
Once you have an uploaded file, you can shift it whereever you like, including to where the webserver can read it to serve it. The biggest problem with that it is awfully easy to put this directory inside your codebase. Don't do that. As soon as you do anything beyond editing the files inside the directory they are served from, it will be problematic. Trust me: I've dealt with a few times this in code I've inherited. It's easy to let your webserver load files from a location outside your codebase.
The other alternative is to produce a download script. That way the file need not be servable by the webserver at all. One disadvantage is that you don't get to leverage the web server's MIME translation, but then, that lets you control which types of image files are permitted.
For the second question, you can use a PHP script intead of direct access to the directory. Lets name it image.php. Lets assume that it can take a parameter id, like image.php?id=image_id. In that file you can get the id using superglobal array $_GET. Then you can search for images with that Id and just send it as response.
First one I'm not sure, but maybe play with .htaccess file.
And for the first question, try setting your permissions to 775. That should allow PHP to write the file to the directory without giving the general public write access.