Hi we have a web application with document repository in php and web server is apache. How can I prevent access to these documents file directly using url, so that only our users can acceess the documents after login. The url for accessing the documents is also being displayed in google search result.
Don't store your files in your web root. Keep them outside of your web root and refer to them via a PHP file. That file will authenticate the user to verify that you want them to be able to download the file and allow them to see it. Otherwise it will prevent the from occurring or load an error message instead.
HTML:
Download
Sample PHP (download.php):
<?php
if (!isset($_SESSION['authenticated']))
{
exit;
}
$file = '/path/to/file/outside/www/secret.pdf';
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
?>
Related
if(file_exists($file_name)) {
header('Content-Description: File Transfer');
header('Content-Disposition: attachment; filename='.basename($file_name));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file_name));
ob_clean();
flush();
readfile($file_name);
exit;
}
I'm trying to force download files in php server. I've provided my code and it works well when browsed with desktop browsers. I face downloading issues when I try to download files with mobile browser. In mobile, chrome browser throws me an error saying 'server problem' while firefox browser downloads the file with .htm extension. Although my default mobile browser downloads the file successfully. How can I achieve the functionality successfully irrespective of the browsers ?
I have tried to download file from server using below code but it not downloaded. It shows only content in browser
<?php
if(file_exists($zipName))
{
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=\'Uttam_Solanki.zip\'');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($zipName));
readfile($zipName);
exit;
}
?>
you need to change role in .htaccess
add application/octet-stream zip
your content-type must be `application/zip
here is a similar approach:
send zip file to browser / force direct download
How are you triggering this script?
If by link, maybe using download attribute would help?
Is there any way to provide a direct link to a file and force the browser to download it using PHP?
E.g http://www.website.com/directory/file.jpg
We're dealing with huge files here and Chrome in particular seems to have a problem rendering the image, so all the user sees is a blank screen when visiting the file directly. Even though they can still right-click in the blank screen and download the file it's confusing.
We used to output the files from PHP but we ran into memory problems so switched to providing a direct link instead. The files go up to about 5GB, they aren't all images. We have zips, PDFs, PSDs etc.
Currently, the file is requested through a PHP script which accepts the ID of the file and get its URL. The PHP script then redirects to the user to full URL of the file.
How can we ensure that downloads are forced and we don't run into memory issues with the larger files?
Thank you
Just use X-Sendfile but you need to configure it first ... using XSendFilePath
if (file_exists($file)) {
header("X-Sendfile: $file");
header("Content-Type: application/octet-stream");
header(sprintf("Content-Disposition: attachment; filename=\"%s\"", basename($file)));
exit();
}
Note* Please ensure $file is properly escaped before you verify and serve the file
XSendFilePath only works on Apache for other servers please see : Caching HTTP responses when they are dynamically created by PHP
You need to set the headers for force download
$file = 'upload_directory_path/'.$image_name;
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
<?php
//file path
$file = 'monkey.gif';
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
I am currently creating a PHP website which allows administrators to upload a variety of documents (pdf,doc,docx,xls) which can then be downloaded at a later date. These can only be accessed by administrators after they have logged in. Up until this point to do this I have been storing files above the web root and then using PHP to access and serve the file via a PHP script hence preventing direct access to the files. This does work but never seems like an ideal way to do it as it's reliant on setting the correct headers via PHP for the file download which does not always give the correct results on all browsers. I can't really see any other way of doing it that would also stop the files being publically accessible if they knew where they were located.
What process would you usually use to store and serve files on a web server that should not be publically accessible?
Sample PHP:
<?php
if (TRUE === $_SESSION['logged_in']) {
}
$file = '/full/path/to/useruploads/secret.pdf';
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
?>
I am having trouble uploading a file to the user from outside of "public_html" which is the folder that everyone has access to thru http. Ex. www.website.com/ everyhting after the / is public_html. I'm sure you all know what I'm referring to.
So I have this script that should read a file (sample.pdf) from (server perspective) /images/protected/ but PHP won't find my file. Am I doing this wrong?
<?php
$file = '/images/protected/sample.pdf';
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
} else {
echo "404 - FILE NOT FOUND!<br />\n";
echo "File: $file";
}
?>
Every time I execute this script I get the 404 - FILE NOT FOUND!<br />\n instead of a file download.
You have to supply the absolute system path. Currently, you're requesting a file at /images/..., rather than /var/www/hosts/whateverdomain/images/....
$file = $_SERVER['DOCUMENT_ROOT'].'/images/protected/sample.pdf';
If your file is really located at /images/protected/, make sure that you have sufficient permissions to read that file.
Turns out I am on shared hosting so the right "root" path for my website was /home/me/