Short version: How can I relocate to C:\Abyss Web Server\htdocs\database\pfs\max\files\public\sdf.png using header()?
Thorough version:
Currently I'm stuck with this piece of code:
header("Location: ".ROOT_URL."\database\pfs\\".$_GET["u"]."\\files\public\\".$c);
(Not completely in context, but it's not needed in this case, since I've managed to track the cause on my own).
$c is the filename, declared in context, and $_GET["u"] is the "owner's" name. ROOT_URL is defined as: define("ROOT_URL", "file://\Abyss%20Web%20Server\htdocs");, which simply is the path to the server directory (I've also tried with define("ROOT_URL", "C:/\Abyss%20Web%20Server\htdocs"); , but there's no luck there either). Anyways, with this, I want the user to be able of downloading uploaded files by $_GET["u"]. The problem is though, that I everytime get a 404 error... And, from experimenting a bit, I've come to the conclusion that the header() function isn't handling the redirect well.
Not sure why this is happening exactly, but I assume that it has something to do with file:// or c:/. My server is currently hosted locally, and therefore I need to use these methods instead (for so long). Answer would be highly appreciated, as I've been stuck with this for a while now...
If it is a local file system link, you need to prepend the file:// protocol prefix:
header('Location: file://C:\\path\\to\\file');
If you omit that, the client (browser) will interprete it as http://C:\\path\\to\\file
Related
Gone through related posts and found turning allow_url_include will does the trick. However when I did this :
remote file file.php at http://www.courierscripts.com
$content = file_get_contents('http://www.courierscripts.com/folder/file.php');
on my functions.php, was not able to use the functions of file.php. I also don't want to change my file.php to file.txt because everyone can see it.
Any other way?
If the file is on the same server, use absolute or relative path to it, not an url. Otherwise:
Short answer:
No, it's not possible.
Long answer:
Actually possible with conditions but I bet you won't like them.
It's obviously impossible if you don't have access to the target server (otherwise storing passwords in php config files like Wordpress does would be just one big security flaw).
First of all, file_get_contents returns a string. So you could eval it, but eval is very bad (you can search SO for the clues why).
OK, suppose you agree to eval what's coming from that server even after considering that someone might change the code and do whatever he wants on your machine. BUT you make an http request that is handles by the server (Apache, Nginx or whatever else).
The server knows that *.php files should not be handles as static files. For example, fastcgi. You can turn that off, for example, with RemoveHandler in Apache. But that would let everyone see the source code of files you expose this way.
So, after removing handlers and evaling the result, you could get the result. But be ready that someone you work with will punch you in the face for doing that ;)
UPD
For code sharing, use Composer to create a package and use it as a dependency.
So I've never seen this before. I have an EC2 server (first time setting this up) using Debian Linux and Apache 2.2. Using a path like so /js/file.js is looking for http://js/file.js. On my local machine and my dreamhost shared server I don't have this problem. In fact I've never seen this problem on a server before. What it should do is look for http://domain.com/js/file.js. Does anyone have some idea of why this could be happening? I've poured over my php.ini file and don't have any hint at what I should change or add to fix this.
What kind of syrup did you "pour" over your php.ini file? It may have gummed up the works! ;)
Have you looked in the output HTML via your browser (View > Page Source), and what you're getting is http://js/file.js? Is that src="http://js/file.js" in a tag? Adding http://domain.com/ should be the work of the browser, not the server. Some browsers display URLs with the domain already added, while others show exactly what you sent to the page. Are you sending any tags that maybe are missing the domain? I think it's only supposed to apply to relative URIs, but it's worth checking. Did you actually use js/file.js or /js/file.js? They're very different.
Ok, so I figured it out. The problem was that on my local machine and on my other server I was not at the root domain so I was using $_SERVER['SCRIPT_NAME'].DIRECTORY_SEPARATOR."js/" to determine the root url to make an alias to the js files path. This returned /app/js/. This worked fine when the files where in a sub folder from the domain somewhere e.g. domain.com/app/js/file.js.
However once I was installing this app on my server and it was the root application $_SERVER['SCRIPT_NAME'].DIRECTORY_SEPARATOR."js/" was returning //js/. That was the problem! That is not the same as /js/. That was bypassing the domain as part of the url and instead telling the browser to look at http://js like it was a fully qualified url. I am assuming // is shorthand for http:// though I've never tried this before.
To fix this I hacked together this function based off of something in the Yii Framework, which is what I'm using for this application.
function getBaseUrl() {
$scriptName=basename($_SERVER['SCRIPT_FILENAME']);
if(basename($_SERVER['SCRIPT_NAME'])===$scriptName)
$_scriptUrl=$_SERVER['SCRIPT_NAME'];
else if(basename($_SERVER['PHP_SELF'])===$scriptName)
$_scriptUrl=$_SERVER['PHP_SELF'];
else if(isset($_SERVER['ORIG_SCRIPT_NAME']) && basename($_SERVER['ORIG_SCRIPT_NAME'])===$scriptName)
$_scriptUrl=$_SERVER['ORIG_SCRIPT_NAME'];
else if(($pos=strpos($_SERVER['PHP_SELF'],'/'.$scriptName))!==false)
$_scriptUrl=substr($_SERVER['SCRIPT_NAME'],0,$pos).'/'.$scriptName;
else if(isset($_SERVER['DOCUMENT_ROOT']) && strpos($_SERVER['SCRIPT_FILENAME'],$_SERVER['DOCUMENT_ROOT'])===0)
$_scriptUrl=str_replace('\\','/',str_replace($_SERVER['DOCUMENT_ROOT'],'',$_SERVER['SCRIPT_FILENAME']));
else
throw new Exception('The App is unable to determine the entry script URL.'));
return rtrim(dirname($_scriptUrl), '\\/');
}
I hope this helps someone else.
I need to connect to a mysql database using PHP. I am storing my login, user, password, and other info in a separate php file (let's say "mysql_connect.php") and then accessing it via require_once (mysql_connect.php) in a different file.
I have done a bit of googling and I know that I am supposed to keep "mysql_connect.php" out of the web root. I have moved it outside of the html folder and tried calling to it by using "../../mysql_connect.php" This is not working, it gives me an error "function not found" or something like that. Upon googling that, the internet says that its because it can't locate the file i'm referencing. When I move mysql_connect.php into a folder below root, everything works fine. The issue is because it is moved outside of the web root (i think).
I have been googling for two days now and cannot find a detailed explanation on how to get this to work. Something about changing the .htaccess file? I've read a bunch of articles on the theory but I am really looking for a step-by-step tutorial (I am a beginner). The only step-by-step tutorials I can find just tell you to put the config.php file into the same folder which is not secure.
Also in reading, it says that putting mysql_connect.php above root might not be THE most secure way to store the information as it is still basically just a .txt file and it can be retrieved easily(like downloading it). I am looking for a balance between secure and also do-able (for a beginner like myself). The mysql database I am trying to protect will not have any personal information and I plan on using a dedicated server (with no other information on it).
Can any one help me to solve this issue?
it gives me an error "function not found" or something like that.
This.
Is your main problem.
You either didn't bother to read this error message yourself nor didn't bring it here to help us to help you.
While
there is no problem in having this file below document_root,
and there is no problem in having this file above document root either,
the only problem you have is to assign a correct filename.
And the error message you got could help you more than 1000 volunteers from this site.
Despite of that, you can use PHP predefined variable to make this path work from whatever part of your site. Aassuming the file is one level above the document root, the code would be
require($_SERVER['DOCUMENT_ROOT']."/../mysql_connect.php");
however, this one may produce an error too, as nobody knows a real file locations. Thus, you may read the error message and corect the paths. Or post it here and get an interpretation
You can store the database information inside your web server configuration.
If you run Apache you can use SetEnv inside the VirtualHost. Since you're still on a shared host, your server admin probably need to help you with this. You can read more about this approach here.
... tried calling to it by using "../../mysql_connect.php" This is not working, it gives me an error "function not found" or something like that.
Include the connection details with:
require_once("../../mysql_connect.php");
This assumes that the file mysql_connect.php is two levels up from the currently executing script.
The database connection details will always be able to be read by whomever has administrative access to the server. It is not feasible to encrypt the file, because you would still need to store whatever key or password needed to decrypt it on the server as well, which would still not hide it from the server administrators.
Besides moving out of the web-root (which is a good step forward) an approach I've seen used is:
// at the top of your index or bootstrap file
define('SECURED', true);
And:
// at the top of any file subsequently included, such as mysql_connect.php
if(!defined('SECURED'))
{
exit();
}
This will at least prevent the file(s) from being accessed (executed) directly. This is helpful is the to-be-included files would otherwise issue a warning or error, that could potentially dump sensitive data as output.
If you're in a shared hosting environment you won't be allowed access outside of document root (most likely). You will need the password therefore it won't be completely secure. Instead, you can look into creating seperate mysql users with priviledges and limiting connections to to local accesses only.
i know i'm new, but something as simple as form for your login should be checked in order for it to work.
<form action="insertphpfilepath.php" method="POST">
and then in "insertphpfilepath.php", would have the mysql_query to check the login and password, not forgetting the mysql_query for connecting to the database and table using the right username and password .
a newbie recommendation to you for use mysql_real_escape_string for any $_POST['login'] so that it would become $login=mysql_real_escape_string($_POST['login']); for evading mysql injection.
So I have two copies of exactly the same project. The configuration of the servers is the same. The script has to write some data to database and then redirect the user to the appropriate page with the header() function depending on the data written to the database.
It works fine on the Linux server, though in Windows it tries to redirect first, and then write to the database, which, of course, doesn't work, because there's no data written. If I comment out the header() function in the Windows version, it writes to the database, but doesn't do the redirection.
How can two exact scripts work so different?
Edit:
I'm not sure how do I show the code, since there's so much of it and it's so scattered. But basically, it's just a function that sets the header() and then the function that writes to db. And when it redirects, it should select the data that was written to the database and display it.
That's a very simplified version of it. Bear in mind, the header is set BEFORE the writing to the database. I believe this to be the culprit, but I didn't write the code, and I can't change the architecture of it, since it works perfectly on 2 Linux servers, I just don't understand how. I just need to make it work on the Windows server.
It makes the redirection ok, I mean it sends me to the link that it should send me to, but it doesn't write to the database. But it I comment out the header() part, it writes to the database, but doesn't make the redirection.
Try adding an if statement like this:
if(mysql_query('...') && mysql_affected_rows()){
header("Location: redirectScript.php");exit();
}
Hope this helps...
The documentation for the header function states the following:
Note:
HTTP/1.1 requires an absolute URI as
argument to ยป Location: including the
scheme, hostname and absolute path,
but some clients accept relative URIs.
You can usually use
$_SERVER['HTTP_HOST'],
$_SERVER['PHP_SELF'] and dirname() to
make an absolute URI from a relative
one yourself:
Are you using a relative URL? It's possible that LAMP likes a relative URL more then WAMP does. It is a simple test, so worth a shot.
For some reason i've only got it to work on WampServer and with PHP 5.2.4
I'm developing a PHP application that has to respond to request from several clients, and I thinks "Can any of the clients see the PHP code that I'm writing?".
No, unless
There is a server misconfiguration
There is a bad echo/include somewhere
No. Unless you're echoing it to them under where you're actually using it.
Use includes from below or outside the www served directory. (can't +1 yet.. for Frankie)
Don't use symlinks for your http directories. I've intentionally used this to both show source and execute depending on user request path before, but that required httpd.conf changes (or misconfiguration) and can explicitly be disabled in httpd.conf.
If allowing downloads of files using fopen, don't pass anything the user creates to it or they could figure out how to get it to grab any file they can find.
Consider:
fopen('reports/' . $_GET['blah']);
where the user passes in '../index.php'
No, but you should take all measures to prevent it.
You should always set your sensitive code (heck, why not all?) in a directory bellow your server working dir (say /www), that way if the server gets messed up, it wont be able to show your code to the world because that code will be included by php that is not working in the first place.
If you have your webserver set to serve instead of parse your php yes. But then the clients wouldn't work. So the barring any security holes, answer is no.
No. Assuming you've installed a L/UAMP server properly, or aren't printing out (echo, print_r, etc.) and of the guts of your code, the PHP will be processed and the logic or HTML it's meant to output will be used on the page, not visible.
N.B. If there isn't an 'index' in a directory or a proper .htacess file, an Apache server will show a list of files in the directory, which can be downloaded and reviewed.
One mistake for it to happen is to paste a php tag inside a php string, example:
$string = "This is the answer: <s><?php echo $answer; ?></s>";
echo $string;
The person did a Ctrl+C and Ctrl+V of something that should be printed along the string, but the coder forgot to remove the php tags by distraction.