I made a form that allows user to upload a file (text documents). I’m using an unique (?) file name made from a combination of time() and the user id (only logged user can upload).
My problem is that the file cannot be accessed externally. That is, only the user who uploaded it or an admin can see it, while it can’t be reached while simply typing www.domain.com/uploads/file_name.txt
I know I can prevent the access to file through htaccess, but if I did understand it correctly, in that way I couldn’t open it even after I am logged in as admin (or as the user who sent the file).
I know I could open the file locally through php so I could show up the content through my admin panel, but that’s a pain since I could output only plain text files without problems. Also I could not download the file.
I could generate on the fly pdf or rtf versions in some cases, however that would quite a long way since I would need to elaborate the content in a complex way. And anyway, I would have no idea how to handle Word or OpenOffice files, which are likely to be the most common cases, and how to not loose formatting or other possible features.
Any ideas?
Why not display a download link for logged in users, like www.domain.com/download.php?file=... The code could look something like:
if( isset($_GET['file']) && user_is_logged_in() ) {
$file = DIR_SOME_WHERE .'/'. basename($_GET['file']);
if( file_exists($file) && user_has_file_access( $file ) ) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
}
Related
I have a program that users can download from my site via a button which posts to a php page. The php logs the download request into my DB then serves up the actual program for them to download. However, I've noticed from time to time that certain IPs will download the program every half hour...sometimes hundreds of times over many days. Not sure what it is, assuming it's a bot, and the IPs are always in countries like Romania or Hungary.
Initially I was blocking IPs in my .htaccess, but I don't want to keep doing that every time. So I've added code to my php which only allows users to download the program a specific # of times each day. That works fine, however, it's easy enough for someone to just get the direct url to my program and download it that way bypassing the php logic.
1) Is there are way to prevent this? Can the .htaccess be modified to prevent direct downloads of the file but allow my php to serve it up?
2) Should I even be worried about this at all? I'm using a shared server so I'm really just concerned about the bandwidth impacts.
If what you want is not allowing users to bypass the PHP logic, you can render and output the file with PHP script.
<?php
$file = some file from query;
if (some logic matches)
die('Download forbidden');
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;
}
?>
See: http://php.net/manual/en/function.readfile.php
Suppose your file is stored in /files/, put the script in somewhere like /down.php, and add the following code in .htaccess in /files/.
Deny from all
More on this, you can see: Deny access to one specific folder in .htaccess
Besides, if you really care about the bandwidth, you can enhance your download prohibit logic, like create user system, or put the user IP into the database to manage/restrict the total download bandwidth of each user.
I don't actually now hoy to ask this question, so it may be probably repeated. Let's see: I would like to disable downloading a file from my web without a download script (just using the URL: http://something/file.zip) unless you're registered, with PHP preferably. Yes, it's a very common topic but I haven't found any information! A lot of pages do this, such as uploaded.net. I hope you understand what I'm talking about. Thanks!
First and foremost, don't allow direct access to the file. Store it outside of your web application's root folder, elsewhere on the file system, so that there is no link which can be used to download it. This is because direct access skips any PHP application and interacts only with the web server, which has no knowledge of your application's session values.
Then create a "download" script to serve the file to users. Generally such a script would be given some identifier for the file, something like:
http://yourserver.com/download.php?file=file.zip
(Important: Be very careful how you identify that file. Do not just blindly let users download whatever they want, or they can enter longer paths onto the URL and download any file from your server. Always validate access to things first.)
This would be just like any other PHP script, except that instead of displaying HTML it would return a file. The actual part of outputting the file can be as simple as:
readfile('/path/to/file.zip');
You'd also likely want to set content headers appropriately, etc. A more complete example can be found in the documentation:
<?php
$file = 'monkey.gif';
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;
}
?>
This is question about downloading files from server using php script. When user clicks on download link, it processed to download.php file, and using header it started downloading.
After downloading file there is one function in download.php file, which updates mysql database about file downloaded and deduct money from user's account. Everything works fine.
Now, the problem occurs when user have download manager installed in pc. Sometimes download started in browser and download manager both. So, at the end there are two download entries in database, And money deducted from user's account two times.
Question : Is there any way to start only one download at time? Or any other way to do this thing?
Download link I provide to user.
<a href='download.php?id=1'>Download Test Video</a>
The script I am using for downloading file. (download.php)
$file = "c:/test.avi"; // $file = $_GET['id'];
$title = "Test Video";
header("Pragma: public");
header('Content-disposition: attachment; filename='.$title);
header("Content-type: ".mime_content_type($file));
header("Content-Length: " . filesize($file) ."; ");
header('Content-Transfer-Encoding: binary');
ob_clean();
flush();
$chunksize = 1 * (1024 * 1024); // how many bytes per chunk
if (filesize($file) > $chunksize) {
$handle = fopen($file, 'rb');
$buffer = '';
while (!feof($handle)) {
$buffer = fread($handle, $chunksize);
echo $buffer;
ob_flush();
flush();
}
fclose($handle);
} else {
readfile($file);
}
record_download('user id', 'file id');
Moving the comment down here for anyone interested.
The function that I had to come up with was a unique download link after a payment had been processed. These are the steps that were taken.
Process the Payment and capture IP address, file and path of the downloadable file - save this information to the database.
Once payment has been deducted successfully, trigger a function that generates a unique token, e.g: sha1(microtime().$transactionid), and save this to the database (note: please don't use microtime() in production, use a random string generator).
Using .htaccess we generated a download link, e.g.: http://domain.com/download/<token> the .htaccess contents:
RewriteRule ^download/([a-z0-9-]) /download.php?token=$1
Optional: If their IP matches what we have in the database, go ahead and allow the user to download the file. If it doesn't, we ask the user to log in so we can update their IP address and begin downloading.
Once you have the token, you can pretty much do any form of validation you would like from here, such as preventing multiple downloads by adding a column in the database download_downloaded INT(1) DEFAULT 0 where if it is set to 1, then it has been downloaded. I would suggest giving the user about a day before locking them out after downloading, just in case their file was corrupt in the process.
Any other additional items, such as download counter etc.
Finally use your code above after to start the download. I would have it structured a little differently though.
download.php
$token = $_GET['token'];
$allow_download = FALSE; // Can never be too careful..
...
//Database lookup to get the file ID
...
$file = "c:/test.avi"; // now from the database call
$title = "Test Video";
// Do any additional validation here
// returns TRUE or FALSE (Boolean) -- Custom function to query the database
$allow_download = check_if_downloadable('user_id', 'file_id', 'token_id');
record_download('user id', 'file id');
// After validation is complete, allow them to download
if ($allow_download === TRUE){
header("Pragma: public");
...
If a user lost their download link (as it has happened many times), we show their download link on their member home page once they have logged in, and they can start downloading again (if you allow it).
I hope this helps. I'm sorry that I can't give out some code examples at this time.
Most of this is just querying the database.
Sometime in our website , need a download link. When click this link then any type of file,image, pdf will be download.You can do this using a simple php script.
want to download a picture name “shafiq_photo.jpg” so parameter is file name “shafiq_photo.jpg”.
Then Create a php file name “download.php” which you use in above file.
<?php
$file = $_GET["file"];
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header("Content-Type: application/force-download");
header('Content-Disposition: attachment; filename=' . urlencode(basename($file)));
// header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
?>
I would recommend to alter the logic:
Deduct money first.
Generate a random string. Save file and user info with it.
In the client profile dump a download link with the random identifier. I mean http://www.example.com/download.php?file=254fd1f5df4df2sd5fsd5f4sdfsd0fsdf5sd4fsdf5dfsdf
Onload complete remove the database entry.
But there is a security hole!
If two people start download that file with that link, then they can bypass payment for one.
But what if someone download that file and send it to other. So, that isn't so much problem. isn't it?
But there is a option attach CSRF token if you think you should really safe.
I'm working to develop a website that allows clients to log in and see various PDFs saved on the server. These PDFs will be unique to the client and should not be accessible by someone who is not logged in. Getting the files onto the server shouldn't be an issue, I'm just not sure on how to serve them to end users.
I've implemented this kind of thing with data from SQL servers being served instead of files, so I'm not entirely sure what the most effective way to go about this.
The website is on a LAMP and my minimal experience is in PHP (but if a framework or other language would make this easier, I can learn it).
I'm probably in over my head but I usually am, so any input would be great.
Put the files outside of the webroot. Then using PHP pass the file though a script. That way no one can link to the file directly and bypass your controls. (Naturally make sure the script that does this only after verifying the user has permission to retrieve that file).
Sample PHP:
<?php
session_start();
if (!isset($_SESSION['authenticated'])) {
exit;
}
$file = '/path/to/file/outside/www/secret.pdf';
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
?>
The easy way is to give these files long random filenames (say, 20 random characters). Technically they will be accessible by anyone, but it will not be possible to guess the URL, so only authorized people will have access.
Alternatively John Conde already outlined a way to serve a file from a PHP script. It will incur a small performance penalty, but will be as secure as your code is. The only thing I can add is that if you cannot place them outside webroot, then you might be able to use .htaccess to prevent people from accessing the files directly.
John posted the primary correct way of doing it, so I'm adding the (probably inferior) alternative: Serve it from the database. Just have a BLOB column for the PDF, and read/store the file data from the database. You'll end up with a quite large table, but it will work. Serving it requires setting the same header()s as John posted, you just send off the data from the DB instead of from the file.
This has the advantage of not having to ensure you don't have filename collisions, etc.
I have files stored outside the public_html folder for security purposes. However, I would like to link to specific files somehow where a user could download one of these files.
I am using a jquery script that allows me to specify a server PATH as an upload folder, and it does upload outside the public_html folder.
The only problem is it requires me to specify a URL to the "upload path" which is used to download the files. I thought I might be able to something like:
public_html/redirect (contains htaccess which forwards all requests to "hiding" folder)
hiding (outside public_html)
A user clicks /redirect/file.doc and they download a file located at hiding/file.doc
Is this possible? If not, how can I give specific file download access to files outside of my public_html directory? I know I've seen it done on other scripts before...
You can do this with "php download handler":
You can use method like this one to return file contents and file information headers to users browser, just make sure that nothing else is outputted before this.
I suggest that you put this to separate file and call that for example download.php.
function returnFile( $filename ) {
// Check if file exists, if it is not here return false:
if ( !file_exists( $filename )) return false;
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
// Suggest better filename for browser to use when saving file:
header('Content-Disposition: attachment; filename='.basename($filename));
header('Content-Transfer-Encoding: binary');
// Caching headers:
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
// This should be set:
header('Content-Length: ' . filesize($filename));
// Clean output buffer without sending it, alternatively you can do ob_end_clean(); to also turn off buffering.
ob_clean();
// And flush buffers, don't know actually why but php manual seems recommending it:
flush();
// Read file and output it's contents:
readfile( $filename );
// You need to exit after that or at least make sure that anything other is not echoed out:
exit;
}
Extending it for basic use:
// Added to download.php
if (isset($_GET['file'])) {
$filename = '/home/username/public_files/'.$_GET['file'];
returnFile( $filename );
}
Warning:
This is basic example and does not take into account that user may try to take some evil advantages of $_GET that is not properly sanitized.
This means basically that user can for example retrieve passwd file or some other sensitive information if certain conditions apply.
For example, retrieving /etc/passwd:
Just point browser to http://server.com/download.php?file=../../../etc/passwd and server returns that file. So before real use you should find out how to properly check and sanitize any user supplied arguments.
It is not possible to for paths outside the public_html.
mod_rewrite only rewrites the request, but the path still should be available to the users.
Another standard way to do this is using mod_xsendfile -- it will allow a web application to have the web server send a file as its output by specifying the path in a header (X-SendFile).