I am planning to do a web-app that will control the download to users. To prevent users from directly accessing the file, what I can do a htaccess to prevent downloading the files. But my question now is how to access it.
What I am thinking is access the file via server path and place the file in the server temp then generate a link to download it. The question is, how to do this? Also, if there are other easier methods on doing this.
I am using CI btw.
Thanks.
Place the files outside the webroot, so they're not accessible via the web server.
Create a PHP script that a user can access that will read the file from disk and output it to the user, see readfile.
Implement any kind of authentication/authorization mechanism in that file that you want.
Related
Example:
if we hit the link of any document then we can easily download it. for example backup.sql inside the backup folder of the website then we can download it by hitting URL www.example.com/backup/backup.sql
I don't know which type of document the client will store there but obviously, it can be confidential that is why it is not shareable to all.
working:
now I am creating a certain document management tool where we can upload a document and download the document and can assign to users who can download that document but while creating I got the idea that anyone can brute force that folder just hitting URL with random names. backup.sql, database.sql and so on. I am using URL myself to make the document downloadable should I go with get_file_content()?.
I want to know if there is a way to download the file in a secure way example only the user that is logged in into my website can only download the file.
something like via htaccess or something else I can block the files directory from outside access. only the logged-in user can download the file and it will be blocked by outside access so that nobody can brute force it. I know I can block it via htaccess but I want them to download too but only for the users of my website.
maybe you should use "x-accel-redirect" for Nginx, and "X-Sendfile" for Apache.
I'm working on a website that is generated from a server. I have a php file where I include files that are stored on my computer and are necessary for the code to work. The files that I need are related to google calendar API like my credentials and a link to the API folder just like in the quickstart.php example of google (https://developers.google.com/google-apps/calendar/quickstart/php).
I think that storing these files on the server is not such a good idea. Is there a way for me to link local files from the server in an include or require? Or do I have to put everything on the server? And in that case how do I know the filepath to my files?
I am not in control of the server I just have acces to a small part of it. It is the school server and I'm working on one directory or so from that server so I can't do anything from root or so.
Thanks in advance and if my question is unclear please notify me so I can rephrase it.
If you want to protect the code from exposure, try PHP ionCube Encoder. So someone who has access to the server can't read the code, but still it will run correctly.
You CAN include remote files via HTTP if you can configure the server to set the following in the php.ini.
allow_url_include = On
This is NOT the normal setting as it could leave you more vulnerable to attacks. So this method is not a recommended one, but it is possible.
You should consider setting up an additional account on Google and then using that to work with. You can share the relevant calandars from your personal account with that account and thus protect yourself better.
Create a folder on your server outside of the public html folder. Go one directory above your website route directory and create your folder there. People will not be able to navigate to that new folder as it is outside of your website route. Store your sensitive files in the new folder. Then just require them in your normal files as needed. This protects your sensitive files in the event your PHP handler failed (rare but can happen) as the content of your sensitive files would not be displayed to people as plain text on your website. Remember to set appropriate folder and file ownership and permissions also on your server.
I have following requirement.
Admin can upload any files like jpg,pdf,PPT,DOC file on server.
End User or viewer only access the files in display/view mode. User shouldn't to be allowed to copy/paste/download/print/modify files.
Please suggest me some way in doing this in PHP or any kind of Editor which gives me such kind of services so that I can embed my application to it.
-Pravin
If the user can VIEW the file then how can you make the difference between VIEW and DOWNLOAD ?
Answer: you can't.
To view a file, the browser should download it and store into it's local cache. You do not have any way to prevent this.
What you can do is to restrict the access to the directory (or the resources) with a htacess security asking username/password.
I have an app from which I upload files to the server. The files uploaded in the same folder where the php script is placed. THe files can be viewed easily if any one finds out the URL, thus it is very easy to hack and destroy the data.
I have to provide the download address to users for downloading the data they uploaded but if I provide the exact URL, their is fair chance of loss of data.
I want to know is there a way to encrypt the URL or any other way of securing the folder where my data is uploaded.
my URL is like www.hostname.com/myfolder/file.txt. Due to such plain URL, I can't benefit much from URL encoding in Java.
I am a Java programmer, I have experience in php.
Regards
A few remarks:
Use sessions and make the users authenticate themselves.
Put the files in an upload/ folder, which is outside of the web root.
When files are requested, check in the upload/ folder if they exist and serve them from there.
If a file already exists, deny upload.
Run everything from a secure (HTTPS) host.
I have a web folder that I would like to restrict access to via password protection. I would like to have multiple user accounts so .htpassword may not be the answer here. The folder contains web pages and .exe files for download and I would like to ensure someone cannot access an exe file just by knowing the URL.
Is there any way to use PHP to limit access to all contents in a folder or would it be best to just use a PHP page to launch file downloads and never expose the exe's URL?
Thanks
There is no way to protect a directory with php. You could always create seperate htaccess files in subdirectories and do a require a user but you'd probably be better off just using a php login, in addition a login form and logout looks much more professional.
you can't authenticate straight using php, but you can use a database, here is a example of htaccess check in databases, and that database can be updated by PHP, so you've got esentially the same thing