This question already has answers here:
A PHP script to let users download a file from my website without revealing the actual file link in my website?
(4 answers)
Closed 9 years ago.
I want to make images shopping site in which I want people buy images then they can download them.
My problem is how to create hidden path to image that people download the image and don't know the real path of the image.
You can call a php file to download the image and not the real image/path.
Like this you can call the real path inside your php file with something like:
$path = "/public_html/yourPath/";
if (! isset($_GET['img'])) {
die("Invalid URL");
}
$imageName = filter_var($_GET['img'], FILTER_SANITIZE_STRING);
$finalPath = $path.$imageName;
header('Content-type: octet/stream');
header('Content-Type: image/jpg');
header("Content-Disposition: attachment; filename=$finalPath;");
readfile($finalPath);
You can read more about it here.
Store the images in an offline location (not www) and retreive them with PHP, so they can access the image for example like this: http://yoursite.com/index.php?file=filename and then PHP will go and return that file from the offline location. You just need to set the correct headers so the content is not treated like a web page but an image instead. Now obviously, such link is still public so you need to add some more information to it to authenticate the downloader.
Related
This question already has answers here:
Return a PHP page as an image
(6 answers)
Closed 8 years ago.
I have an image in a directiory, lets say: test.jpg.
I also have 2 other PHP file in this directory called: new.php and load.php
Now, what I want to do is, when people visit the website new.php, they should need to see the test.jpg image.
However! I would also need that if I place the new.php into an <img> tag, it should also display the image correctly.
I have tried to call the image in an img tag, but it doesn't load correctly, when I insert the new.php into img tags.
<img src="test.jpg">
How is that even possible to make a php work as an image - if you know what I mean?
using:
header('Content-Type: image/jpeg');
readfile('path/to/image/screenshot.jpg');
other variants:
#readfile('path/to/image/screenshot.jpg');
won't have any errors if file does not exist.
AND
readfile('path/to/image/screenshot.jpg') or die('Image file not found');
will kill your script with a predefined error message if file does not exist.
The most useful alternative, as suggested by #hd:
$file = 'path/to/image/screenshot.jpg';
readfile(file_exists($file) ? $file : 'path/to/image/image_not_found.jpg');
Which will choose $file or if it does not exist, the default image_not_found.jpg
You may need to change the mime-type in the header() for other image types.
Note: The other answer is very much as functional as this one, but this one uses no memory and in general is faster and more flexible than the other answer.
Try this:
new.php
header("Content-Type: image/jpeg");
$im = imagecreatefromjpeg("test.jpg");
imagejpeg($im);
imagedestroy($im);
and use it like this
<img src="new.php"/>
This question already has answers here:
How to serve documents from outside the web root using PHP?
(2 answers)
Closed 8 years ago.
Okay, so I'm not so experienced with PHP, and I've been searching for hours for a way to access an image file outside of the document root. I know there are many answers to this question, sort of, but none that actually helped me.
So what I have so far is a folder structure like this (ignore the odd file names):
-img
-imagez.php
-logo.php
-public_html
-files.php
I put this code inside of files.php:
<?php include('/home/byonexco/img/imagez.php'); ?>
If I access files.php from my browser, I see the content of imagez.php, as is expected.
My problem is, I want to be able to do the same thing with the file logo.png. The folder img is not publicly accessible, so I know I have to call the image with PHP.
How can I get logo.png to show on the page when someone accesses the file files.php?
You could write a very simple script like
<?php
header('Content-Type: image/png');
if (strpos($_GET['img'], '..') === false) // check for quackery
readfile('../img/' . $_GET['img']);
and access it like
/img.php?img=logo.png
However there are a couple disadvantages to this solution:
Relaying the image through PHP costs time and performance
The script is possibly subjectible to exploits, letting an evil person retrieve any file on the server
You're far better off with hosting images directly accessible.
As the image isn't publicly accessible, you'd need to get the image via PHP then output the image with the correct header
$image = file_get_contents('path/to/image.png';
header('Content-Type: image/png');
imagepng($image);
imagedestroy($image);
This question already has answers here:
How to fix "Headers already sent" error in PHP
(11 answers)
Force-downloading, from php file
(2 answers)
Closed 9 years ago.
I am trying to make a php script when you load on to that page it downloads a video. However since i do not know anything about headers it seems i can't figure it out so please explain why it works and how header works. I am trying to make the browser download video files.Can someone also explaain the headers and what they do please.
Here is my failing code:
<?php
//Outputing video name
$file_name = $_POST['FileToD'];
//outputting video extension e.g video/mp4
$file_ext= $_POST['FileExt'];
//where the file is kept
$file_path = 'mysever.myadress.com/media/movies/' . $file_name;
header('Content-Type:'.$file_ext);
header('Content-Length:' . filesize($file_path));
header('Content-Description: attachment; filename='.$file_name);
readfile($file_path);
?>
If you want to output a video, then don't start by outputting HTML and then switch to video data as part of the same file. (You can't set response headers after you've started outputting data anyway). Remove everything before <?php and after ?>
$file_url should be the path, on the server's file system, to the file you want to make available. It shouldn't be a URL (unless you want a really inefficient approach or need to proxy from a different server), and if it is a URL then it needs to start with the scheme (e.g. http://).
The content-type needs to be the actual content type of the video (e.g. video/mp4), not a file extension (and it doesn't make sense for it to be provided by the user).
You also need to sanitise the user data. At present (if the errors described above were fixed) then anybody could request any file that exists on the server.
This question already has an answer here:
php: force download to hd?
(1 answer)
Closed 9 years ago.
i was trying to download from an android application a php file stored onto my server.
From the application i call a webservices that have to give me in output the file .php that i need.
On the web i found this that talk about which header set to download a file. It talks about
zip
jpg
txt
pdf
Then i was thinking to develop something like:
Application call ws to get a php page
Ws zips the php file that application needs and give me in putput
Application download the zip file and extract it.
This is a good solution but i was trying to find something better.
Another solution that is really like what i want is highlight_file
Just use it like:
echo highlight_file("myphpfile.php");
The problem is that in order to render good the file, the code is divided by many html tags and just "visually" is the same file but the source is really different.
Is there a way to download the file directly? Thanks! :)
The simplest solution might be:
<?php
header('Content-Type: text/plain');
readfile("myphpfile.php");
this will display the file as text in browser you can click 'save as...'
If you need the browser to popup a 'Save as...' dialog by itself - without displaying the file - then you'll need the Content-Disposition header:
header('Content-Type: text/plain');
header('Content-Disposition: attachment; filename="myphpfile.php"');
readfile("myphpfile.php");
For an image file (JPEG) that has been uploaded to the server via a PHP script (to a directory such as http://www.somedomain.com/images, is it a good idea to allow the client to get the image's direct address (such as http://www.somedomain.com/images/someimage.jpg and paste it into a WYWSIWYG text editor (such as TinyMCE)?
I am wondering if there is a preferable method where the direct address is encrypted?
Please, if I should just link directly to the image, just say so.
Thanks!
Note: I have modified this question from my original. Please see revisions if you are curious, but I think I was asking the question incorrectly. My apologies to the people who already answered.
As long as you check correctly WHAT is being uploaded, it shouldn't be a problem. So please at least use getimagesize or a similar function to make sure it's an image that's being uploaded, AND make sure the extension on the file is correct so that it will never be run through the PHP interpreter - to prevent someone from uploading an image with a PHP script attached.
BTW Here's a nice whitepaper on uploads and security : http://www.scanit.be/uploads/php-file-upload.pdf
Depending on the CPU Constraints of your web-hosting service you can write a service to 'serve' the images to your users.
Here is some very BASIC code, it needs spiffing up and cleaning up for XSS/etc...
<?php
$basePath = "/path/to/my/image/store/not/web/accessible/";
$file = NULL;
if (isset($_GET['file']))
$file = $_GET['file'];
if ($file != NULL)
{
$path = $basePath . $file;
// $file needs to be checked for people
// trying to hack you, but for the sake of simplicity
// i've left it out
$mime = mime_content_type($path);
$size = filesize($path);
header("Content-Length: " . $size);
header("Content-Type: " . $mime);
header('Expires: 0');
readfile($path); // Outputs the file to the output buffer
}
?>
Obviously you can put whatever security checks in here you want. But this way your files are below the web dir, and you can apply logic to thier accesibility. This is typically used more for FILE vs. Images, but you can do the same thing here.
Images Accessed like this
http://www.mysite.com/image.php?file=hello.jpg
And you can use mod_rewrite to rewrite urls like this:
`http://www.mysite.com/images/hello.jpg
Into the first url.
I Cannot stress enough the need for further security checking in the above example, it was intended to show you how to serve a file to the user using PHP. Please don't copy & use this verbatim.
Wordpress uses direct links for images. The permalink function simply puts the image on a page along with metadata for comments, but the images' SRC attributes still link directly to the image.
why are you concerned about revealing your image location. Hotlinking?
if so you can prevent hotlinking with htaccess
http://altlab.com/htaccess_tutorial.html
Didn't you get your answer already?
Every site reveals image location to the browser. It's just the way web works.
Got any reason to "encrypt" original location?