I want to make a website, which only allows authentic users to download files from the browser. And any one else cannot download the file.
I have uplaoded the files with 000 access, which will restrict the users, but how to give permissions only to authentic users.?
Can anyone help me with it?
You don't need to give a link to physical folder of a file. You may emulate it with such code(example of png):
header("Content-Type: application/octet-stream; ");
header("Content-Transfer-Encoding: binary");
header('Content-Disposition: attachment; filename="name.png"');
readfile($fileaddress);
Related
In Joomla auto updater the file is requested from one domain
http://download.abc.com/?ext=addmenu&src=core&pro=1&file=update.zip
which then downloads a different file
/mnt/storage/vhosts/newdomain.com/httpdocs/tmp/addmenu-v1.1.4.zip
I've been trying to mimic this effect by calling a file release.php which is
header("Location: /addmenu/updates/com_addmenu.zip");
but it just downloads release.php and not com_addmenu.zip
I've also tried it with
header('HTTP/1.1 307 Temporary Redirect');
before the header(Location
But I can't get it to work this way. I'm guessing that I'm not able to substitute one file for another but I'm hoping someone can help.
thanks
I understood that you have a zip file on your server which shall be downloaded under a different name by the visitor's browser when s/he opens up your webpage.php.
<?php
$file_url = '/addmenu/updates/release.zip';
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary");
header('Content-disposition: attachment; filename=com_addmenu.zip');
readfile($file_url);
following issue:
I have a large file on my server (~2GB).
A user who is logged in to my site can download this file from my server.
Unfortunately my server is not that strong. When many user downloading this file simultaneous they will all have very poor dl speed.
So I uploaded the file to google drive and generated a direct download link:
http://googledrive.com/host/[FILE_ID]
My code:
<?php
$remoteFile = 'http://googledrive.com/host/[FILE_ID]';
$filename = basename($remoteFile);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"$filename\"");
echo file_get_contents($remoteFile);
?>
My question: is file_get_contents() really bypassing the dl or is this file going thru my server? If so, that makes no sense :[ ]
Generate a unique google drive share link after every download, so that only your authenticated users can download, and links may not be used more than once.
I'm using the following to force download of MP3 files:
http://www.aaronfagan.ca/blog/2014/how-to-use-php-to-force-a-file-download/
Basically using PHP lines to force a download
<?php
if ($_GET['id']) {
$file = $_GET['id'];
header("Content-Description: File Transfer");
header("Content-Type: application/octet-stream");
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header("Content-Length: ".filesize($file));
readfile($file);
}
else {
header('Location: http://www.mywebsite.com/error/');
}
?>
Am I correct to understand that anyone that knows how it works could basically download any files on any website with this?
For example, if I place that file in the root of mywebsite.com, anyone with knowledge could use a link like the following to download any file anywhere?:
http://www.mywebsite.com/download.php?id=http://www.anywebsite/files/file.pdf
Or would it only work on my website?
The files I want users to be able to download are MP3 files, would there be a way to "restrict" the type of files the "download.php" would process? so this way the "Content-Type" be set to something for only MP3 files, this way the "hack" would be restricted?
For example if I place that file in the root of mywebsite.com, anyone
with knowledge could use a link like the following to download any
file anywhere?:
http://www.mywebsite.com/download.php?id=http://www.anywebsite/files/file.pdf
If permissions open for http://www.anywebsite/files/file.pdf (it means you can open/download file.pdf with browser) you can download it remotly with your script (but as I now basename uses for local paths),
but usually permissions denied for direct download (you can close permissions too).
Also if you want you can add captcha to your download method to disable grab
Thanks.
Your code works only on your website.
For serving resources from other servers you can use this script Resource-Proxy.
Good Luck
I have some images and pdf file on my server which I use in my website
The path to the images is
<img src ='/import/folder/image.jpg'>
Every image is associated with a pdf which resides with the image like the pdf for the above image will be at /import/folder/pdffile.pdf
the image source is visible to users
when some one view the source of page and copy the image source and paste in url after my base url
let suppose my base url is localhost.com
if some one manually write localhost.com/import/folder/image.jpg he can access my whole images and pdf file even my whole file system
How can I prevent users from accessing my file structure ?
I am using php and codeigniter
Thanks in advance
he can access my whole images and pdf file
this is how the web works.
even my whole file system
not whole of course but only files that you put into public access folder
How can I prevent users from accessing my file structure
they don't have an access to your file structure but to the public folder only.
you can't prevent users from accessing public folder because your site will stop working.
you have to ask more certain question, why and which files you want to secure.
In this case its difficult to prevent that people download your images. When you use "/import/folder/" its a public folder on your webspace. You can save the path with .htaccess.
For Your PDF files you could deliver the PDF File over php.
Get PDF 123
In the script you can check if the user has the rights to download the file and wheather the file exists and return the PDF as application/pdf output.
header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: no-cache');
header("Content-Type : application/pdf");
header("Content-Disposition: attachment; filename=".$filename.".pdf");
Then the people can download the file. But in this case you have to save PDF is theirs.
Edit:
Then put the .htaccess to the folder with
deny from all
<FilesMatch "\.pdf$">
Order Allow,Deny
Deny from all
</FilesMatch>
Depending on what your server capacity is and how big the files are, you could do the following:
Stream both - the JPEG and the PDF file using what I call a "data-proxy" - a PHP script that reads the file content and streams it back to the browser, like (be careful to set the correct content type) (similar to what Stony proposed, although he left the readfile() part out):
$file_path = $download;
header('Content-Description: File Transfer');
header('Content-Type: audio/mpeg');
header('Content-Disposition: attachment; filename="'.$_GET['file'].'"');
header("Content-Transfer-Encoding: binary");
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file_path));
ob_clean();
ob_end_flush();
readfile($file_path);
exit;
Obfuscate the files. Make the filenames something like md5($filename.$salt) and remove the file extension. If you have the files in different folders (like /images and /pdf)) you don't need the extension for the streaming as you only read the content of the file. You could also place them outside the accessible web space (I think you need open_base_dir for this), thus no one except you would be able to access them. Use .htacces to further restrict access to the files as described in other answers.
Employ a session for the above script so only logged in users get the streaming.
Encrypt the files - you could encrypt the whole content of the files. So even if someone would get the file content, it would be encrypted. You can decrypt them just before streaming. If you employ a secure encryption algorithm this should be quite secure. However, this depends to the file sizes and the server capacity to a large extent as I suppose encrypting the whole file could be a problem if it's a large one.
Make the PDFs password protected. Although not really secure as it can be easily removed, it makes basic users run against the wall... You can do that on the server side too with an automated script.
Put Options -Indexes in a .htaccess file you place in localhost.com/import/folder/ (or higher up the document tree). This will disable access to the file structure in localhost.com/import/folder
Preventing users from accessing your files is something different, like Stony suggested, you can stream the files using php.
Edit: I saw your comment about people "guessing" the url of an image. You could store all the images with an encrypted filename. Something like an md5 hash of the filename and the uploadtime combined. Then store those encrypted names in a database table...
You can use this in the .htaccess
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://your_site_url/.*$ [NC]
RewriteRule \.(jpg)$ - [F]
This will prevent the direct access of the images, but the images will be vissible in your website
Hi i have a problem with making a safe upload folder in a project.
The thing is that we have a file upload that everyone should be able to upload files to, but only the site administrator the site should be able to view the files later.
Is it possible making a folder non readable, but accessible from a php page?
The server is a linux inviroment
There's actually several ways to do this.
Apache configuration (you may restrict access to certain directory by IP security, or HTTP authorization), see: allow,deny and apache authentification
Save files to directory which is not accessible via website and write your own php directory listing and file download, via readfile
Upload file to directory which will be accessible only via "secret" ftp/sftp.
The simple answer to this is to place the files in a directory outside your web root, and built a page to view the directory that requires an administrator auth to access.
If the files are outside your web root, they cannot be directly accessed with a /path/to/file.ext type URL.
In cases like this, I would locate the folder outside the document root, or restrict it's access via Apache directives.
Then, using the PHP and checking access credentials, output the file using readfile()
Here is an example from the manual
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
?>