Good day everyone!
Well here's the thing;
One .htaccess file, mod rewrite, to redirect imagename.png (non existing file) to tracker.php (real file). So when a user is looking at site.com/hello.png the user is actuall looking at /hello.php which gather information and stores it.
tracker.php
<?php
$date = date('d-m-Y');
$time = date('H:i:s');
$ip = $_SERVER['REMOTE_ADDR'];
$ref = #$_SERVER["HTTP_REFERER"];
header('Content-type: image/png');
echo gzinflate(base64_decode('6wzwc+flkuJiYGDg9fRwCQLSjCDMwQQkJ5QH3wNSbCVBfsEMYJC3jH0ikOLxdHEMqZiTnJCQAOSxMDB+E7cIBcl7uvq5rHNKaAIA'));
$myFile = "tr.txt";
$fh = fopen($myFile, 'a');
fwrite($fh, $myFile = $time ." | ". $date . " | " .$ip. " | " .$ref. " | \r\n\r\n");
fclose($fh);
?>
I am using it on my site to track visitors. Everything works fine, I could gather information about ip, webbrowser, ref-link etc.
But my question is, what are the restriction when doing this? I have been experimenting a long time and it seems like I could only use plain php (not echo "some other language").
I can not redirect or echo text. Loops, if/else, variables etc is working.
If I tries to redirect I could see that the page is attempting to connect to e.g. google but just for a second so there are no actual redirects.
tl;dr
What are the restriction in code when using a php file as an image?
I don't think there are any restrictions.
Your php code is executed and runs.
What you display doesn't restrict php.
You mentioned a redirect there. You're loading an image in a html page (generated by php or not, doesn't matter). The html page received it's headers from the server, and your php generated image also received it's headers (content-type image). Here is where the redirect would be.
There's no reason why your html page will ever redirect using a php headers function on your image.
If you load the php generated image directly in your browser, I think you'll be able to redirect the user (directly, without displaying the image), but as an image in a html page, it's not possible to affect the rest of the page, unless you use javascript.
Related
On a godaddy hosted website using CPanel, I have a small PHP script that shows each line in a text file that's on the server. Each line contains a private href link to a PDF that only the logged-in user can see. The links points to various PDFs in the same folder on the server. The code works fine and I can click on the link and see each PDF.
The problem is that each PDF can also be seen by using a direct URL query (i.e. website/folder/pdfname.pdf). As these are private PDFs, I don't want them public. I've tried changing CPanel permissions on the folder to "owner" - but that seems to prevent the PHP script from opening the PDFs also.
Is there a way to allow a PHP script access to PDFs in a folder - but prevent direct URL references?
NOTE: I'm not particularly adept at PHP or CPanel - sorry.
Code...
$fname = "PDF-" . $user_name.".txt";
$fnum = fopen($fname,"r");
echo "<tr>";
While (($str = fgets($fnum)) !== false) {
$arr = explode("|",$str);
for ($x = 0 ; $x < count($arr); $x++) {
echo "<td>$arr[$x]</td>";
}
echo "</tr>";
}
echo "</tr>";
fclose($fnum);
File contents...
Xyz Company|21 Jan 2018| website link
Xyz Company|21 Jan 2018| website link
Xyz Company|21 Jan 2018| website link
Xyz Company|21 Jan 2018| website link*
Asside from removing the files from the root, if you are running apache, you can change your .htaccess (I'm sure windows-based system have a web.config equivalent) to forbid access to certain files directly. If you add this snippet to that file, it will deny files with .pdf extension:
<FilesMatch "\.(pdf)$">
Order Allow,Deny
Deny from all
</FilesMatch>
From there, inside your app, you can create some sort of system for curating your PDF links, so if you store the real path in a database and use the id as the link similar to:
http://www.example.com/?file=1
or if you just do a simple scan:
<?php
# The folder that the PDFs are in
$dir = __DIR__.'/website/folder/';
# Loop over a scan of the directory (you can also use glob() here)
foreach(scandir($dir) as $file):
# If file, create a link
if(is_file($dir.$file)): ?>
<?php echo $file ?>
<?php
endif;
endforeach;
Then, if the user tries to download using the link, you check they are first logged in and if they are, download the file by doing a script like so BEFORE you output anything else to the browser (including spaces):
<?php
session_start();
# First check that the user is logged in
if(empty($_SESSION['username']))
die('You must be logged in to download this document.');
# Not sure which directory you are currently in, so I will assume root
# I would do basename() here incase the user tries to add in something like:
# ../index.php and tries to download files they are not supposed to
$file = __DIR__.'/website/folder/'.basename($_GET['file']);
if(!is_file($file))
die('File does not exist.');
# Double check that the file is a pdf
elseif(strtolower(pathinfo($file, PATHINFO_EXTENSION)) != 'pdf')
die('File appears to be invalid.');
# Start download headers
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;
One simpler and basic example (and derivative of previous answer) is to use two separate PHP files, where one is evaluating a set cookie (set to expire soon) in the browser upon link click (set via JS or PHP or other). If the cookie was read correctly, the first PHP page imports a second page that utilizes the PHP header() redirect containing your original file name forcibly downloaded with another name. Using the Content Disposition header field.
In action this works like this
1: Original page with download links - we set the cookie to work for 2 minutes
<a onclick="setCookie(1, 1, 2, 60)" href="php-secure-files-delivery-page.php">Download My Final PDF name.pdf</a>
<script type="text/javascript">
// set a cookie with your own time limits.
function setCookie(days, hours, minutes, seconds) { // Create cookie
var expires;
var date = new Date();
date.setTime(date.getTime()+(days*hours*minutes*seconds*1000));
expires = "; expires="+date.toGMTString();
document.cookie = "my_cookie_name"+"="+"my_cookie_value"+expires+"; path=/";
}
</script>
On the link page we include a hyperlink with the evaluating PHP page. Here we use JavaScript to set a cookie using the custom function setCookie(days, hours, minutes, seconds), that will receive your wishes for expiry. Just note that 1 is the minimum number. Not 0.
2: Download page - evaluating cookie and presenting texts, or simply downloading the file
(php-secure-files-delivery-page.php)
<?php
// if the cookie is set correctly, load the file downloader page.
if (isset($_COOKIE['my_cookie_name'] && $_COOKIE['my_cookie_name'] === 'my_cookie_value')) {
require_once 'file-downloader.php'; // the file will force the download upon import.
} else {
die('The link expired, go to your downloads section and click on the link again.');
}
?>
Here we evaluate the cookie, present either the correct info or die(). Using require_once we get the PHP page into the current one.
3: Imported file includer PHP page
(file-downloader.php)
<?php
// We'll be outputting a PDF
header('Content-Type: application/pdf');
// It will be downloaded as your-downloaded.pdf
header('Content-Disposition: attachment; filename="your-downloaded.pdf"');
// The PDF source is in your own specified long name
readfile('original-with-really-weird-original-name.pdf');
?>
Results
User always go to the same page, being presented with the appropriate information.
You can name your original files on your server anything you want, like "my_really_difficult_and_long_file_name.pdf", while the user sees only the nice pretty file name when the file is downloaded.
for more files, use an extra input in the cookie function to take the file name too, and some if statements in the php downloader page, that looks for separate end PHP pages to require_once.
If you go to the browsers "Downloads" section to try to get the url of the downloaded file, you see the initiating PHP page, the second page, that leaves you empty with a die() if no correct cookie was set. That cookie is only set when you want it to. On your pages. You can of course do this in JavaScript too, but that will expose the cookie, still, for most unauthorized sharing, that takes care of it.
Lastly, easy security for your folder (without Apache/Nginx/.htaccess stuff)
Using .htaccess files on local folders or directives on your server is the best and most secure way. But that´s not transferable to your other applications on other systems. Instead use a index.php and a default.php page on your PDF file´s parent folder, where they are located, including this header redirect to wear off unwanted visits:
<?php
header("Location: http://yoursite.com/some-other-page/"); /* Redirect browser here */
?>
I face a case I never did, and I dont know how to properly do it.
I have a php script which generate files for clients. At the end of the script, I echo the path for them to download the file, simply.
How can I do to provide the file - or the path or any what - for downloading it, and be sure to delete the file once downloaded.
Widely, I'd like to make the file available for one/unique download only. How to ?
EDIT
I cannot use headers
There are a few components to getting this to work. Without knowing which framework you use, I'll use comments as placeholders.
There is no way to do it without using the header function, though.
Here is the source for a file that outlines the process:
<?php
$fileid = $_GET['fileid'];
$key = $_GET['key'];
// find the file in the database, and store it in $file
if ($keyMatches) {
// it is important for security to only use file paths from the database
$actualPath = $file->getPathOnDisk();
$fileInfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($fileInfo, $actualPath);
$fp = fopen($actualPath, 'rb');
header("Content-Type: " . $mime);
header("Content-Length: " . filesize($actualPath));
fpassthru($fp);
}
else
{
http_response_code(403); // forbidden
}
You'll use this by linking to download.php?fileid=1234&key=foobar, and generating the URL at the same time you generate the key and store it in the database.
For security, you'll keep the files outside of the web root, meaning they cannot be accessed through the web server without going through a script.
fpassthru is reasonably fast, and will not likely have a performance impact.
You must do a download file gateway, like download.php?id=XXX
Where XXX is the unique ID of each file you will store in DB. And of course, the file to be downloaded.
Then, each time a user will visit the page, you can :
- Check if he has already downloaded the file
- If no, redirect it to the real path of file
- If yes, display 403 message.
When a user download a file, update the DB, generate or copy the file to a new name, you play with headers, and delete file upon download or after a small timeout.
I want to store some data retrieved using an API on my server. Specifically, these are .mp3 files of (free) learning tracks. I'm running into a problem though. The mp3 link returned from the request isn't to a straight .mp3 file, but rather makes an ADDITIONAL API call which normally would prompt you to download the mp3 file.
file_put_contents doesn't seem to like that. The mp3 file is empty.
Here's the code:
$id = $_POST['cid'];
$title = $_POST['title'];
if (!file_exists("tags/".$id."_".$title))
{
mkdir("tags/".$id."_".$title);
}
else
echo "Dir already exists";
file_put_contents("tags/{$id}_{$title}/all.mp3", fopen($_POST['all'], 'r'));
And here is an example of the second API I mentioned earlier:
http://www.barbershoptags.com/dbaction.php?action=DownloadFile&dbase=tags&id=31&fldname=AllParts
Is there some way to bypass this intermediate step? If there's no way to access the direct URL of the mp3, is there a way to redirect the file download prompt to my server?
Thank you in advance for your help!
EDIT
Here is the current snippet. I should be echoing something, correct?
$handle = fopen("http://www.barbershoptags.com/dbaction.php?action=DownloadFile&dbase=tags&id=31&fldname=AllParts", 'rb');
$contents = stream_get_contents($handle);
echo $contents;
Because this echos nothing.
SOLUTION
Ok, I guess file_get_contents is supposed to handle redirects just fine, but this wasn't happening. So I found this function: https://stackoverflow.com/a/4102293/2723783 to return the final redirect of the API. I plugged that URL into file_get_contents and volia!
You seem to be just opening the file handler and not getting the contents using fread() or another similar function:
http://www.php.net/manual/en/function.fread.php
$handle = fopen($_POST['all'], 'rb')
file_put_contents("tags/{$id}_{$title}/all.mp3", stream_get_contents($handle));
I am trying to make my website so that you have to log in in order to view some files. I got the login up and running with mySQL databases and everything is working fine, except that i don't want to manually put edit all my 1000+ html files to check if the user is logged in. I have tried using htaccess, but the popup is so ugly i can't stand it.
Now, the question is, can i password-protect a bunch of files on my website without manually modifying all of them, or can i make the "htaccess login form" look good.
Thanks.
You could put all of your HTML files in a directory outside of the webroot, then refer to them through URL rewriting or a basic querystring variable passed to a single PHP script.
For example:
<?php
// Get the file from ?whichfile=(...)
$whichfile = $_GET['whichfile'];
// Put your logic here to verify that the user is logged in / has a valid session ID, etc.
// You should also put some checks on the value that is passed through "whichfile"
// to prevent users from accessing things they shouldn't.
// Edit: example to prevent this:
// $whichfile = "../../../../etc/passwd";
$fname = pathinfo($whichfile, PATHINFO_FILENAME);
$ext = pathinfo($whichfile, PATHINFO_EXTENSION);
$fname .= ($ext ? ".".$ext : "");
if (file_exists("/var/www/folder/out/of/webroot/".$fname)) {
$blob = file_get_contents("/var/www/folder/out/of/webroot/".$fname);
header("Content-Type: text/html; charset=utf-8");
print $blob;
}
I've been trying to get wkhtmltopdf to convert pages on a website and it's failing to convert pages that are on the same. It'll convert and store external pages (tried it with google and bbc.co.uk, both worked) so the permissions are fine but if I try to convert a local page, either a static html file or one generated by a script, it takes around 3 minutes before failing.
The output says the page has failed to load, if forcibly ignore this, I end up with a blank PDF.
I thought it might be session locking but closing the session resulted in the same issue. I feel it's something down to the way the server may be behaving though
Here's the code in question:
session_write_close ();
set_time_limit (0);
ini_set('memory_limit', '1024M');
Yii::app()->setTheme("frontend");
// Grabbing the page name
$ls_url = Yii::app()->request->getHostInfo().Yii::app()->request->url;
// Let's remove the PDF otherwise we'll be in endless loop
$ls_url = str_replace('.pdf','',$ls_url);
// Setting paths
$ls_basePath = Yii::app()->basePath."/../extras/wkhtmltopdf/";
if(PHP_OS=="Darwin")
$ls_binary = $ls_basePath . "wkhtmltopdf-osx";
else
$ls_binary = $ls_basePath . "wkhtmltopdf";
$ls_generatedPagesPath = $ls_basePath . "generated-pages/";
$ls_outputFileName = str_replace(array("/",":"),"-",$ls_url)."--".date("dmY-His").".pdf";
$ls_outputFile = $ls_generatedPagesPath. $ls_outputFileName;
// making sure no nasty chars are in place
$ls_command = escapeshellcmd($ls_binary ." --load-error-handling ignore " . $ls_url . " " . $ls_outputFile);
// Let's run things now
system($ls_command);
did you lynx that exact url? since wkhtmltopdf is actually small but powerful webkit browser, it fails places just like a normal browser.
check the URL you gave, check external URLs within your page are accessible from your server. It loads CSS, external images, iframes, everything before it even starts making PDF.
Personally, I love wkhtmltpdf. nothing beats it.