I have a site that people upload large (2mb-3mb) files to, In large quantities. So I need to store them on an external drive (my drobo). How can I upload files to a folder on the server and then how can I write a php script that retrieves them and lets users download them.
Thanks,
Joey Sacchini
To do this, simply move your files into an accessible space.
http://php.net/manual/en/function.move-uploaded-file.php
Be sure to consider the implications of this though. Once you move an uploaded file to an open directory, anyone can access it. This is very dangerous. Imagine someone uploading a PHP script.
It is best to create a script that fetches files from a location not in the web root. At a basic level, you can store the file's properties, such as original name (you should rename them to something random on disk) and mimetype, to database. Then send the file to the client with readfile().
For downloading backups to your own personal hard drive, just use SFTP.
This is not a quick answer, you need to understand how to upload, retrieve, and save the file to the server; set write permissions for PHP and a few other things. I suggest you try these links to get you started fast:
http://www.w3schools.com/php/php_file_upload.asp
http://www.tizag.com/phpT/fileupload.php
Also visit the PHP reference manual for some great examples.
well u can keep the uploaded files outside of server directory. so if ur server root is /www/htdocs u can keep the files in say /uploaded. so use something like
move_uploaded_file($_FILES['file'],'/uploaded')
this way ur files will be inaccesible to the outside world
Related
I am writing a scripts that processes the .csv file. The script currently have to upload the csv file to the server in order to process it, and the user have to download the processed file which is a lot of work from a user.
My question is, is there a way to process files from the user's directory path without the user having to upload the file first? So the user will just browse to the file to be processed and the file will be save and processed in that path.
Thanks,
Sbo
Then the only option you have is to do it client-side. To do it client-side you thus have to use a client-side technology like Flash or JavaScript. The latter is probably the better choice. The following URL explains how you can do a client-side file upload: http://igstan.ro/posts/2009-01-11-ajax-file-upload-with-pure-javascript.html
You want to get access to user's computer? Forget it.
Only way to achieve it is to use Java Applets with special permissions in php you need to upload it, it can be uploaded to temp directory but you need to still upload it.
Java Applets need to be signed and has certificate to be accepted by user. There is no other way I know to get access to user's files.
Check this link as well
I have a simple site which allows users to upload files (among other things obviously). I am teaching myself php/html as I go along.
Currently the site has the following traits:
--When users register a folder is created in their name.
--All files the user uploads are placed in that folder (with a time stamp added to the name to avoid any issues with duplicates).
--When a file is uploaded information about it is stored in an SQL database.
simple stuff.
So, now my question is what steps do I need to take to:
Prevent google from archiving the uploaded files.
Prevent users from accessing the uploaded files unless they are logged in.
Prevent users from uploading malicious files.
Notes:
I would assume that B, would automatically achieve A. I can restrict users to only uploading files with .doc and .docx extensions. Would this be enough to save against C? I would assume not.
There is a number of things you want to do, and your question is quite broad.
For the Google indexing, you can work with the /robots.txt. You did not specify if you also want to apply ACL (Access Control List) to the files, so that might or might not be enough. Serving the files through a script might work, but you have to be very careful not to use include, require or similar things that might be tricked into executing code. You instead want to open the file, read it and serve it through File operations primitives.
Read about "path traversal". You want to avoid that, both in upload and in download (if you serve the file somehow).
The definition of "malicious files" is quite broad. Malicious for who? You could run an antivirus on the uplaod, for instance, if you are worried about your side being used to distribute malwares (you should). If you want to make sure that people can't harm the server, you have at the very least make sure they can only upload a bunch of filetypes. Checking extensions and mimetype is a beginning, but don't trust that (you can embed code in png and it's valid if it's included via include()).
Then there is the problem of XSS, if users can upload HTML contents or stuff that gets interpreted as such. Make sure to serve a content-disposition header and a non-html content type.
That's a start, but as you said there is much more.
Your biggest threat is going to be if a person manages to upload a file with a .php extension (or some other extension that results in server side scripting/processing). Any code in the file runs on your server with whatever permissions the web server has (varies by configuration).
If the end result of the uploads is just that you want to be able to serve the files as downloads (rather than let someone view them directly in the browser), you'd be well off to store the downloads in a non web-accessible directory, and serve the files via a script that forces a download and doesn't attempt to execute anything regardless of the extension (see http://php.net/header).
This also makes it much easier to facilitate only allowing downloads if a person is logged in, whereas before, you would need some .htaccess magic to achieve this.
You should not upload to webserver-serving directories if you do not want the files to be available.
I suggest you use X-Sendfile, which is a header that instructs the server to send a file to the user. Your PHP script called 'fetch so-and-so file' would do whatever authentication you have in place (I assume you have something already) and then return the header. So long as the web server can access the file, it will then serve the file.
See this question: Using X-Sendfile with Apache/PHP
I've hosted a site on a shared hosting server.
I've a given permission 776 to a folder, is it possible for someone to upload a file using move_upload_file to my server from his home pc or own server ?
Edit
If i do not provide the front panel or some UI to the user is it still possible to upload file ?
You use move_uploaded_file (note: upload*ed*) to move/rename files in your PHP scripts on your server. The special thing about move_uploaded_file vs. rename is that it will check whether the file was just uploaded in the same HTTP request. If it wasn't, it will fail with an error.
This is to prevent errors in your script or malicious users from tricking your server into moving any other sort of files around that you didn't intend to move. Using it you can be sure that you're only moving uploaded files out of the temp directory to some other destination.
That's all it does. It does not upload files to some other server. You cannot simply upload files to some other server without that server handling that upload somehow (like through a PHP script, FTP, SCP etc).
Not sure what you're asking exactly.
If you're saying, can you make an HTML form and have someone hit that from their browser to upload. That depends what user apache runs as. You can make an HTML form, catch it with PHP and use move_uploaded_file if whatever user apache runs as can create a file in that directory.
If you're thinking someone can write a php script on another computer, and use the function move_uploaded_file, then no, you definitely can't. That's not what that function does. I'd recommend using SCP for something like that.
No, if you do not provide a script which receives the file and moves it, some other user can't upload a file to your server.
All move_uploaded_file does is move a file from the temporary directory on the hard drive to a different location on the same hard drive. It cannot put files on someone else's computer.
Your question is equivalent to asking whether your next door neighbor can copy child pornography onto your home PC's hard drive over the internet. You should be happy that the answer is no.
Hey just a quick question for anyone who has done this. I want to create a video tube site. I have done file uploads before but was wondering if anyone could give me suggestions on what I am planning to do.
The way I am planning is to have a folder in my web directory and to upload videos into the folder after virus scanning and checking mime. The video will then be converted and compressed using FFMPEG into flv.
I will change the name and store the video reference id in mysql so the file name can be fetched and served.
I will serve the files using HTTP_Download to a flash player
$dl = new HTTP_Download();
$dl->setFile("$path");
$dl->setContentDisposition(HTTP_DOWNLOAD_ATTACHMENT, "$path");
$dl->setContentType('video/flv');
$dl->send();
Anyone have any suggestions? Is it a good idea to put all videos in one directory?
You may want to consider a Java based uploader as PHP can run into timeout problems on large uploads.
Also do you FFMPEG processing as a CRON job not at upload as it takes a long time.
Look in something like Wowza Streaming Server to serve the videos. Allows streaming and everything is above the root. I name each video with a UID and send a parameter to the Flash video player to decide which one to play.
Where and how you store them will largely depend on how secure they need to be (i.e. should people be able to access the files in the directory directly? or should it be stored more securely than that?)
If direct access is fine, then putting them all in one folder is okay. If not, then you may want to obscure folder names, store them in a secure Database, or in a folder that is not accessible outside of the server.
Also, I'm hoping you're aware of the massive amounts of storage space and bandwidth such a service will consume? I hope you have a scaled solution ready to deploy if you're really serious about this..
I need to take a file and move it to a windows machine on a specific folder where it is then to be printed automatically. How would I accomplish something like this? Is it possible with PHP?
Have the user upload the file using a POST form, then use move_uploaded_file to put it into the right folder.
It is possible with PHP. You can upload the file using POST (there are many examples online), and then use - for example - move_uploaded_file to move the file to the appropriate location.
However, you will need to make sure the folder has the appropriate permissions to allow the web server to move files into it.
it is possible with PHP.
but it's also possible with simple copy console command
To have another answer, you need to provide much more information.