I will try to explain on example.
There're files on the web I publish (let's say, something.pdf or thefile.zip). I want, before actual download when user follows the link to file, some php script to be invoked which then will return the requested file. How to do it? Please advise. Thank you!
Edit 1: thanks amadeus. In my case PHP script is located on the other server than web site and files to download = PHP script will need to read file from remote web server and send to client, which is extra traffic... I actually does not need PHP to control file download. It is ok to have it downloaded from the web server, but I want PHP script to be invoked when download is requested (to gather info on who is downloading and how many times).
Edit 2: thank you Pekka. I just realized that it is even more complex. Imagine server1 is webserver with downloadable files on it (no php), and server2 is php server. If I just give "server1/thefile.zip" I will be unable to invoke script from php server. Then it seems I should use "server2/script.php?thefile.zip" which will then just redirect client to the file on server1. Is it the best implementation in given conditions?
It is ok to have it downloaded from the web server, but I want PHP script to be invoked when download is requested (to gather info on who is downloading and how many times).
That's easy to do by calling
header("location: http://externaldomain.com/externalresource.zip
from your PHP script when you are done counting.
This will redirect the browser to the external resource.
Related
So I'm a bit confused about what crafty users can and can't see on a site.
If I have a file with a bunch of php script, the user cant see it just by clicking "view source." But is there a way they can "download" the entire page including the php?
If permission settings should pages be set to, if there is php script that must execute on load but that I dont want anyone to see?
Thanks
2 steps.
Step 1: So long as your PHP is being processed properly this is nothing to worry about...do that.
Step 2: As an insurance measure move the majority of your PHP code outside of the Web server directory and then just include it from the PHP files that are in the directory. PHP will include on the file system and therefore have access to the files, but the Web server will not. On the off chance that the Web server gets messed up and serves your raw PHP code (happened to Facebook at one point), the user won't see anything but a reference to a file they can't access.
PHP files are processed by the server before being sent to your web browser. That is, the actual PHP code, comments, etc. cannot be seen by the client. For someone to access your php files, they have to hack into your server through FTP or SSH or something similar, and you have bigger problems than just your PHP.
It depends entirely on your web server and its configuration. It's the web server's job to take a url and decide whether to run a script or send back a file. Commonly, the suffix of a filename, file's directory, or the file's permission attributes in the filesystem are used to make this decision.
PHP is a server side scripting language that is executed on server. There is no way it can be accessed client side.
If PHP is enabled, and if the programs are well tagged, none of the PHP code will go past your web server. To make things further secure, disable directory browsing, and put an empty index.php or index.html in all the folders.
Ensure that you adhere to secure coding practices too. There are quite a number of articles in the web. Here is one http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
I was wondering how php files are actually secured. How come one can not download a php file, even if the exact location is known?
When I upload a php file to my webserver, lets say to domain.com/files, and I call the domain.com/files page, I can clearly see the php file and its actual size. Downloading the file however leads to an empty file.
The question then is: How does the security mechanism work exactly?
The web server's responsibility is to take the PHP script and hand it to the PHP interpreter, which sends the HTML (or other) output back to the web server.
A mis-configured web server may fail to handle the PHP script properly, and send it down to the requesting browser in its raw form, and that would make it possible to access PHP scripts directly.
Your web hosting may have a mechanism to list the contents of a directory, but the unless it supplies a download mechanism to supply the PHP script with plain text headers (as opposed to HTML) without handing it to the PHP interpreter, it will be executed as PHP rather than served down.
In order to be able to download the raw PHP file, the server would have to do some extra work (possibly via another PHP script) which reads the PHP file from disk and sends its contents down to the browser with plain text headers.
When you request domain.com/files your web server is setup to show all the files in that directory.
When you request the actual php file the web server executes it and outputs the results back to you - not the source code.
Of course, both of the above can be configured. You could switch of directory listing and disable parsing of php files so the actual file contents/source code is output.
Its usually a good practice to switch off directory listing.
When you first install PHP on your server, it reconfigures Apache so that when a .php file is requested, Apache hands processing over to PHP. PHP then processes the code in the file, and returns whatever text the PHP code echoed or printed to Apache, which then sends that back over the network to the person that requested the PHP file.
The "security" comes simply in that Apache does not simply serve the PHP file, but rather hands it over to the PHP processor for execution. If Apache is not configured correctly or you use a server software that does not recognize PHP, the raw PHP file will be sent to the client.
Short answer: since the server is configured to execute PHP files and return the results, you will never be able to access the PHP source from the outside. All code is executed immediately by the server. So, to answer your question:
The security mechanism is that .php files are executed automatically by the server when they are requested.
This is a huge misconception. When you attempt to access a PHP file over port 80, your request is likely being run through a web server which does something with the file. In the case of PHP, it runs that file through the PHP interpreter, which causes that file to create some output, and that is what is sent to you.
You can easily allow downloading of PHP files by removing the interpreter for that file type. If the web server doesn't have anything special for it and doesn't understand the file, it will just have the client download it.
I have a website which I'll call website.com that is located on server1. website.com has a field to upload a file. When someone uploads a file on website.com, I don't want the file uploaded to server1, I want it to upload to another server, server2. What is the best way to do this? Can I do this using php, a shell script?
After the file is uploaded to server2, I have a shell script to execute on the file which I will also eventually have to figure out how to run from server1.
I hope this makes sense, thanks in advance.
another possible way to do this is by uploading this file to your website.com site and use CURL to send the image to another server. once this completes you can remove the image again.
see CURL PHP send image for more information.
-- UPDATE --
For SSH connection you need to install additional libraries in order to allow php to make SSH connection. an excellent tutorial can be found here.
-- UPDATE 2 --
The question intrigued me, so i expanded my research. there seems to be another PHP Library phpseclib around on Sourceforge. In the documentation on page 5 there is some information on how it works.
The only good way to make this to work is to read the image to binary, and send it over the the other server, as text and write that into an file, hence creating an image from the source of the original.
Also place the image in a public folder that is accepts calls from your website1 domain, this way you also prevent hot linking your images and saves considerable data.
I also came across this for help with phpseclib.
in the end i wouldnt choose for a solution like this. I would swap your website from server1 to server2, just to keep everything in one place.
Cant you put the script to handle the upload on Server 2?
You can have your HTML pages with the form served for server 1, but call the PHP for the upload from server 2.
Update
For example...
Server 1 has a file index.php which has a form:
<form action='http://server2.com/some_directory/uploader.php' method='POST'>
.... Some form code
</form>
The form on index.php points to a PHP script on server 2, via a URL. That PHP script can now handle the input.
Of course this will only work if server2 is connected accessible from the internet, if not you will have to use some sort of shell script on server 1 to move the files on the internal network when they are uploaded to server 1.
I'm using CURL to upload files to a service.
currently I'm getting the file content with $GLOBALS["HTTP_RAW_POST_DATA"] then save it on my server.
after that, I'm using CURLOPT_POSTFIELDS with the file's full path.
Is there a way to send the file content directly, without saving it on my server, as if I saved it?
Or is there a way to upload a Photo from a flash app to facebook album, without saving it on the server?
Thanks
If you are uploading data you might consider using the file upload mechanism in PHP http://php.net/manual/en/features.file-upload.php It automatically handls file upload PHP.
If you want to redirect the upload to another (third party service) without needing to be in the chain of commands (i.e. user->3rd party server), you might want to look into AJAX. AFAIK when you upload a file using PHP/forms the file will be uploaded to your PHP temp directory and there is no way to prevent this because:
1. To access the file it needs to be on the server (PHP is server execute meaning it can not execute on the user side)
2. I do not believe any user will want you to access their files on their computer nor will you be able to do so(Firewall, AV), if that were to happen it will be a major security issue
As I said above, what you want to look into is AJAX (I used jquery and their AJAX methods are very simple). Because AJAX is user execute javascript it can run on the machine and initiate a connection to any URL. This way you can directly access the service without submitting the file to your server.
Here is an exmaple AJAX upload (you can google for more):
http://valums.com/ajax-upload/
Hope this helps
I have a file where i m able to generate the pdf, but i want the path to be users desktop which would save it automatically.
$pdf->Output("sample.pdf");
What should be path.
No matter what you have server side you won't be able to automatically save a file on a user's system via their browser with no interaction from them as that would be a massive security hole. The user will always have to confirm the save of a file.
For similar reasons you won't be able to query the directory structure of a User's system via the browser, and even if you could I don't think you can give a browser a suggested directory in which to save something.
You can't do that with PHP. PHP runs on your server, not on your user's desktop. You probably want to store the file somewhere on the server, and then show the user a link to download the generated file.
Unless of course, you're talking about running PHP locally on your user's computer (i.e. apache or some other webserver is installed on your user's computer, in which case please clarify your question.
Assuming your php script is running as a client-side app through the Command Line Interface or PHP-GTK, you should first check if the system it runs on actually is a Win32 type machine.
Next you'd need to use the Windows Only Extensions to invoke the native Win32 API Function call returning a well-known location such as user's desktop folder, that is SHGetFolderPath() with a CSIDL_DESKTOP as a second parameter.
If however your script runs on a server, there's no way to put the file on user's desktop directly without her actually being instructed to do so.
You should output the PDF to the browser and provide the appropriate headers to have the file be recognised as PDF (or merely as downloadable to force a download). Also make sure not to output anything other than the PDF as that might corrupt the file.
EDIT: Note that if you use a webbrowser it is, for security reasons, not possible to FORCE an automatic download. You can only prompt a download, not activate it.
If you're talking about a PHP script (e.g. on a Linux workstation), you probably want to do something completely different. If the PDF library doesn't let you specify a path, do the same you would do in a web browser sans the headers and use an output buffer to catch the output and write it to a file -- if you run the script directly, it'll have the necessary privileges to write to your home directory.