I want to protect a pdf file from being directly linked but instead have my logged in users be able to access it. I have a link which currently goes to a javascript function which posts a form:
$('nameofdoc').setProperty('value',doc);
document.getElementById('sendme').submit();
where sendme is the name of the form and nameof doc the index of the document I want to display.
This then goes to a php file:
$docpath = $holdingArray[0].$holdingArray[1];
$file = $holdingArray[0]; //file name
$filename = $holdingArray[1]; //path to the file]
header( 'Location:'.$docpath ) ;
header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename="'.$filename . '"');
readfile($filename)
This all works fine it loads up the file and outputs the pdf. What I can't do is protect the directory from direct linking - ie www.mydomain.com/pathToPdf/pdfname.pdf
I've thought of using .htaccess to protect the directory but it's on a shared host so I'm not sure about the security and anyway when I've tried I can't get it to work.
Any help would be great since this is my fourth day of trying to fix this.
thanks
Update
I've had a lot of help thank you but I'm not quite there yet.
I've got an .htaccess file that now launches another php file when a pdf is requested from the directory:
RewriteEngine on
RewriteRule ^(.*).(pdf)$ fileopen.php
When the fileopen.php file lauches it fails to open the pdf
$path = $_SERVER['REQUEST_URI'];
$paths = explode('/', $path);
$lastIndex = count($paths) - 1;
$fileName = $paths[$lastIndex];
$file = basename($path);
$filepath = $path;
if (file_exists($file)) {
header( 'Location: http://www.mydomain.com'.$path ) ;
header("Content-type: application/pdf");
header("Content-Disposition: attachment; filename=".$file);
readfile($filepath);
}else{
echo "file not found using path ".$path." and file is ".$file;
}
The output is
file not found using path /documents/6/Doc1.pdf and file is Doc1.pdf
but the file does exist and is in that direcotry - any ideas??
OKAY I'm happy to report that Jaroslav really helped me sort out the issue. His method works well but it is tricky to get all the directory stuff lined up. In the end I spent a few hours playing about with combinations to get it working but the principle he gave works well. Thanks
The best way would be to protect that folder with htaccess, as you have mentioned. So you put all PDFs in pdf/ folder, and in the same pdf folder you out .htaccess file:
RewriteEngine on
RewriteRule .* your-php-script.php
Now no files can be accessed by url in this folder. Every request to every file in this folder will return what your-php-script.php script returns. In your-php-script.php you do something like this:
//Check if user has right to access the file. If no, show access denied and exit the script.
$path = $_SERVER['REQUEST_URI'];
$paths = explode('/', path);
$lastIndex = count($paths) - 1;
$fileName = $paths[$lastIndex]; // Maybe add some code to detect subfolder if you have them
// Check if that file exists, if no show some error message
// Output headers here
readfile($filename);
Now if user opens domain.com/pdf/nsa-secrets.pdf Apache will run your-php-script.php. Script will have variable $_SERVER['REQUEST_URI'] set to "domain.com/pdf/nsa-secrets.pdf". You take the last part (filename) and output it to a user (or not).
This will stop anyone from accessing files directly from the internet by knowing URL. If someone has direct access to files on your server, that will not stop them. On the other hand, I think any shared hosting stops users from getting files of other clients. Only way to do it is to hack the server in some way. But then we are getting very paranoid and if that may be a case for you, you shouldn't use shared hosting in the first place.
If you cannot make htaccess work, you can try to obfuscate files, so it would be difficult to spot them for someone outside. For example change file from mySecretData.pdf to djjsdmdkjeksm.pdf. This may help a little bit.
I want to protect a pdf file from being directly linked but instead have my logged in users be able to access it.
Check to ensure there is an authenticated user before streaming the PDF's content.
This is kinda sloppy but it could work assuming you can setup a MYSQL DB. It lets you pass the "password" in the URL as an MD5 string or as a clear text if you want to. Trying to setup some kind of security without using htaccess or an existing frame work is kinda clunky. This however won't even attach the file to the stream until it knows you've been "Authenticated" I think you could maybe make this a little better if you setup a login page that saved a cookie locally then you wouldn't need to pass the "passphrase" in the URL.
$file = $_GET['file'];
$pass = $_GET['pass'];
$download_folder = '../Protected';
$file = basename($file);
$filepath = "$download_folder/$file";
if (file_exists($filepath)) {
if(CheckUser($pass)){
header("Content-type: application/octet-stream");
header("Content-Disposition: attachment; filename=$file");
session_write_close();
readfile($filepath);
} else {
echo 'Not Authenticated!';
}
} else {
echo 'No File!';
}
function CheckUser($value){
$con = mysqli_connect("test.com","test","123456","my_db");
// Check connection
if (mysqli_connect_errno()){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT user FROM pass_table WHERE password =".md5($value).";");
while($row = mysqli_fetch_array($result)){
mysqli_close($con);
//return $row['user'];
if($row['user']){
return true;
}
}
mysqli_close($con);
return false;
}
Related
When user want to download file from my web site, user have to click link like below
https://www.example.com/download.php?aaa=111&bbb=222
download.php
<?PHP
session_start();
include("connect.php");
$aaa = mysql_real_escape_string($_GET[aaa]);
$bbb = mysql_real_escape_string($_GET[bbb]);
if(($aaa = '111')&($bbb = '222')) // this line is example for ask stackoverflow //
{
$filePath_try_to_download = 'attachments_files/test.pdf';
if(file_exists($filePath_try_to_download))
{
$fileSize = filesize($filePath_try_to_download);
$fileName = "test.pdf";
header("Cache-Control: private");
header("Content-Type: application/stream");
header("Content-Length: ".$fileSize);
header("Content-Disposition: attachment; filename=".$fileName);
// Output file.
readfile ($filePath_try_to_download);
exit();
}
}
?>
I want to know when user download file from this link https://www.example.com/download.php?aaa=111&bbb=222 user can get my file path on server or not (attachments_files/test.pdf). If user can get my file path, how can i hide it's ? (file in this dir is very importance)
Since I was posting comments from my Phone, they couldn't really explain much, so here goes your answer.
I want to know when user download file from this link https://www.example.com/download.php?aaa=111&bbb=222 user can get my file path on server or not (attachments_files/test.pdf).
No, Users can not see that file path which you are reading via readfile(). They will not be able to find out that file's location at all.
And if you want to eliminate any chances of people guessing the file path simply put those files outside of your web root folder and then readfile() them from there.
$filePath_try_to_download = 'attachments_files/test.pdf';
That path is only known to your PHP code, which is not visible to users hence they have no idea from where did you read the file they are downloading, just eliminate the guesswork chances though :)
And Obviously you have to secure access to this url https://www.example.com/download.php?aaa=111&bbb=222 otherwise what's the point!
No. The user cannot get the file path. He only get the content outputed by PHP script.
Your can do this and the user only get the "Hello" string. So it's your PHP script's role determining which contents the user can get.
<?php
echo "Hello";
?>
I face a case I never did, and I dont know how to properly do it.
I have a php script which generate files for clients. At the end of the script, I echo the path for them to download the file, simply.
How can I do to provide the file - or the path or any what - for downloading it, and be sure to delete the file once downloaded.
Widely, I'd like to make the file available for one/unique download only. How to ?
EDIT
I cannot use headers
There are a few components to getting this to work. Without knowing which framework you use, I'll use comments as placeholders.
There is no way to do it without using the header function, though.
Here is the source for a file that outlines the process:
<?php
$fileid = $_GET['fileid'];
$key = $_GET['key'];
// find the file in the database, and store it in $file
if ($keyMatches) {
// it is important for security to only use file paths from the database
$actualPath = $file->getPathOnDisk();
$fileInfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($fileInfo, $actualPath);
$fp = fopen($actualPath, 'rb');
header("Content-Type: " . $mime);
header("Content-Length: " . filesize($actualPath));
fpassthru($fp);
}
else
{
http_response_code(403); // forbidden
}
You'll use this by linking to download.php?fileid=1234&key=foobar, and generating the URL at the same time you generate the key and store it in the database.
For security, you'll keep the files outside of the web root, meaning they cannot be accessed through the web server without going through a script.
fpassthru is reasonably fast, and will not likely have a performance impact.
You must do a download file gateway, like download.php?id=XXX
Where XXX is the unique ID of each file you will store in DB. And of course, the file to be downloaded.
Then, each time a user will visit the page, you can :
- Check if he has already downloaded the file
- If no, redirect it to the real path of file
- If yes, display 403 message.
When a user download a file, update the DB, generate or copy the file to a new name, you play with headers, and delete file upon download or after a small timeout.
I want my users to download a file say file.zip
from
www.remoteurl/file.zip
but the file should be downloaded from
www.mydomain.com/file.zip
I want my server to act as a proxy which will change the remote url to mydomain. (Note: the file shouldn't be downloaded to my server.)
Can you suggest a good approach for this, or is there even a finished script for this purpose ?
Your question isn't very clear, still, I think you want users to think they're downloading a file from your server while in fact the download is located on a remote server. If my assumption is correct, there are many ways to achieve that, here's one:
Let's say the user clicks on a link that contains:
http://www.yousite.com/myfiles/file.zip
First, we use mod_rewrite to forward any requests to myfiles to our phpscript (download.php).
.htaccess
RewriteEngine on
RewriteRule ^myfiles/(.*)$ /download.php?file=$1 [NC]
Now we can $_GET the value of file inside download.php
download.php
if(!EMPTY($_GET['file'])){
$url = 'http://www.remoteurl.com/'.$_GET['file'];
$path_parts = pathinfo($url);
$ext = $path_parts['extension'];
$filename = $path_parts['filename'];
header("Content-type: application/$ext");
header("Content-Disposition: attachment; filename=$filename");
echo file_get_contents($url);
}
You might want to restrict the downloads based on the file extension, for that you can use:
if (!EMPTY($_GET['file']) && preg_match('/\.(zip|txt|rar|tar|gz)$/', $_GET['file'])) {
//the rest of the code...
I have a directory containing data that should not be world-accessible until a certain date.
The directory, naturally, should not be directly world-readable with a web browser. I currently solve this with .htpasswd and .htaccess.
However, there is a world-readable .php file one directory level up. The PHP file, based on the date, conditionally generates basic HTML tags (e.g., <img .../>) that read from the protected directory.
Unfortunately, in my tests, the .php file requires authentication to load the data. My question is whether I'm trying to do something fundamentally impossible, or whether I can tweak it to make it work. Also, if it is possible, are there any additional issues (security or otherwise) that I should know about?
Additional information:
If possible, I would prefer not to use Javascript.
PHP 5.3 is available.
Any other ideas for a solution (I already thought of a cron-job, which I might yet do)?
I'm guessing a problem you might have is if you try to output <img src="protected.jpg" /> even from an unprotected php file, you'll be able to show the HTML but NOT the image file itself.
If i understand correctly what you're trying to do, you need either :
to write some kind of proxy script in PHP, in order to control access to each file (this is a bit tedious and requires generating the right headers + mime types).
to control access directly from .htaccess using time/date conditions, which might be your best option. see there : http://www.askapache.com/htaccess/time_hour-rewritecond-time.html
Edit : proxy example : i can't seem to find an example online so this is a function i often use when i wish to control access to a file from PHP (for instance this can be sensitive data whose access needs to be verified from $_SESSION or DB values) :
function send_binary_data($path, $mimetype, $filename = null){
#ob_clean();
if($filename === null) $filename = basename($path);
$size = filesize($path);
//no-cache
header('Cache-Control: no-cache, must-revalidate, public');
header('Pragma: no-cache');
//binary file
header('Content-Transfer-Encoding: binary');
//mimetype
header('Content-Type: ' . $mimetype);
header('Content-Length: ' . $size);
header('Content-Disposition: inline; filename=' . $filename);
header('Content-Description: ' . $filename);
$chunksize = 1 * (1024 * 1024);
$buffer = '';
$handle = fopen($path, 'rb');
if ($handle === false) {
return false;
}
while (!feof($handle)) {
$buffer = fread($handle, $chunksize);
print $buffer;
}
$result = fclose($handle);
unset($handle);
$handle = null;
die();
}
Of course you still need to restrict direct access from .htaccess but in case of a proxy you'll redirect all requests to your unprotected proxy script, like this :
RewriteEngine ON
RewriteRule ^(.*)$ /proxy.php?file=$1 [NC,QSA]
And proxy.php would contain something like :
if(!isset($_GET['file'])) die('file not set');
$file = $_GET['file'];
//perform all your custom checking, including security checks due to retrieving data from $_GET, and if access is granted :
$path = 'yourpath/'.$file;
$mimetype = 'defineregardingyour/ownrules';
send_binary_data($path, $mimetype);
.htaccess only serves as an access control directly from the Internet to the directory.
PHP access is controlled by the chmod permissions. Try chmodding it to 755. You can still put password-protection or any other kind of protection on it with the .htaccess-file.
Considering the added comments, I assume you're trying to include images in your output that are inside the protected directory. Naturally, an unauthenticated user cannot access them... Why else would you have protected them?
You can add the files that need to be world-accessible to your .htaccess file.
how do i use php to access the directory above my site root, i need to specifically go up one directory and show contents to the user so they can pick from a couple different directories on the same level as public_html, navigate into them, and when clicking on a file serve it up? server is unix/apache
zipsanimspublic_htmlThank you ahead.
David
i found that if they know the file name it can be served to them by this... named image.php
then image.php?file=imagename.jpg
Thank you!
<?php
$file = $_GET['file'];
$fileDir = '/path/to/files/';
if (file_exists($fileDir . $file))
{
// Note: You should probably do some more checks
// on the filetype, size, etc.
$contents = file_get_contents($fileDir . $file);
// Note: You should probably implement some kind
// of check on filetype
header('Content-type: image/jpeg');
echo $contents;
}
You go up one directory using the .. link. Example:
<?php include("../foo.bar"); ?>
Note that if you're on shared hosting, there's a good chance that the server won't let you do this.