Trying to protect video files that are done in camtsia which outputs html/with flash embed video files.
Not sure how I would access them using PHP. I've searched stackoverflow and found using alias would be an option? Is that still secure though? Is that the best way to go? Or should I try to purue a file open operations using PHP.
It needs to serve an html page which has .js .swf files along in the same protected dir.
Any help or direction is appreciated.
You would use readfile to access the file and the header function to forge the content. Make sure the www-data user, which is the Apache user and PHP uses it to access the filsystem, has permission on that folder.
header('Content-type: video/avi');
header('Content-Disposition: attachment; filename="videodownload.avi"');
readfile('/var/videos/myvideo.avi');
Related
Here is the current scenario:
I have an index.php file located at ./dl/ that lists the files in a folder named ./dl-meta/, using the glob function. It works pretty well.
The thing is, I would also like to password protect my files. I took a look at Apache's folder protect utilities, tho upon further inspection I realized that someone could easily brute force their way into my files. (I also saw that the password menu looked quite bad). So, instead of using Apache's rules, I tried making my own folder protect script in PHP, using session variables.
...The login script I crafted does a great job protecting my PHP files. Once the session is started, I can simply call this bit of code at the start of my PHP pages located at /dl-meta/ to see if the user has the right to view the page:
if($_SESSION['login'] === false){
echo "Access denied :(";
die();
}
Obviously, I can't run this piece of code for files like video.mp4 (AKA I can't deny access to video.mp4 if the user is not logged in).
Is there some way I can deny access for non-PHP files when the user is not logged in?
or maybe...
Should I obfuscate the /dl-meta/ folder? If so, how could I achieve this without breaking my file indexer and /dl-meta/'s folder hierarchy? Keep in mind that there are multiple subfolders in there...
Thanks for the read, SO! Feel free to ask for my code if you think it can help.
I figured it out...
Using readfile(); I can make it so im able to download a specific file, from another location. Heres an example:
$path = "./files/video.mp4";
header('Content-Type: ' . mime_content_type($path)); //Tell the browser to interpret as an .mp4 file
header('Content-Disposition: inline; filename="'.basename($path).'"'); //Change name of file (cool if you want to add some kind of watermark to your filenames)
readfile("../dl-meta/".$path); //Distribute the damn thing
Using the above code will make the client download the file/play it like if you directly accessed the resource. AKA you can download files from /script/file.php without revealing the URL of the actual file.
My goal is accomplished: I can protect files like video.mp4 behind a hand made PHP login wall.
Tho, some questions still remain unanswered.. Will this code make the downloads slower/use more system resources than vanilla direct downloading?
Bigger 5gb 2 hour MP4 files dont even load anymore... Any tips with that please?
There is a fully running PHP site that can only be accessed when logged in with ID/password.
I have been asked to add a function to the site that uploads PDF files and show existing PDF files in the browser.
So I achieved this by using iframe to embed PDF files in the browser.
But the problem is, the PDF files shouldn't be directly accessible (shouldn't be opened when accessing www.aaa.com/pdf/test.pdf), and must only be shown in the site so that only authorized users can view the file.
So I tried a few things :
.htaccess : I'm not too familiar with PHP/HTML so searched some answers on stackoverflow and tried them without success.
such as
order deny,allow
deny from all
allow from 127.0.0.1
or
Require local
and so on. It obviously blocked direct access, but also didn't allow the PDF to be shown from the site (www.aaa.com/showPDF.php). Come to think of it, the above methods seem to only allow the files to be read when opened from the physical server.
Moving the PDF folder outside of webroot : I succeeded moving the upload folder outside of webroot and also uploading to it, but then iframe doesn't work since PHP can't find the PDF file. A workaround was to use headers and PHP readfile(), but I can't seem to modify the headers from where I'm from since the headers are already sent beforehand in files that I cannot modify.
I think I'm making this overly complicated, and I think an appropriate .htaccess file will simply do, but don't have much knowledge in this area. Would really appreciate help here, thanks!
Seems it was simple enough.
Order Deny,Allow
Deny from all
Allow from www.aaa.com
worked. Thank you for your suggestions!
=======================================
Edit : above didn't work.
In fact, I didn't have permission to access outside my webroot.
So I stored the pdf files inside a folder within my webroot and denied access from all by using :
Deny from all
in .htaccess.
After that, since iframe was denied by .htaccess, I tried to print the contents of the PDF by using file_get_contents(). But this required setting header information such as
$contents = file_get_contents($filePath);
header('Content-Type: ' . mime_content_type($filePath));
header('Content-Length: ' . filesize($filePath));
echo $contents;
But the php page that shows the contents of the PDF file (showPDF.php) already sent out headers during initializing, and I didn't have rights to modify that part.
So I made a fresh php file (pdfviewer.php), added session information, and added the above 4 lines. After that I iframed pdfviewer.php within showPDF.php and it finally worked.
I think this problem was REALLY specific to my current situation but hope someone finds it useful.
Also, thanks #CBroe since I realized I was wrong and got some hints!
My site interacts with the PayPal Digital Goods API which on completion redirects back to my PHP script which then allows the download.
I would like to know the best way to protect the directory containing digital goods which is outside of the web root.
At the moment I am protecting the directories by removing all permissions. When the download script is called the permissions of the directory containing the digital good are changed to allow the download then removed again. Below is a shorthand version of what's happening in the script.
chmod('/digital/goods/directory/file', 0777);
readfile(file);
chmod('/digital/goods/directory/file', 0000);
I'am sure this cant be the right way to do this. Could you use htaccess without the user having to enter the user and password? Any pointers would be appreciated.
Ensure the files aren't being served directly. In Apache, you would keep them out of the DocumentRoot.
Then, the permissions shouldn't matter, since there is simply no URL that maps to them.
Store your digital goods above the DocumentRoot, and then serve via a PHP script with a unique hash for each purchaser
ie)
DocumentRoot: /home/user/public_html/store
Protected Folder /home/user/goods
With PHP use:
Readfile() see http://php.net/manual/en/function.readfile.php
and use something like this to serve the file:
<?php
// We'll be outputting a PDF
header('Content-type: application/pdf');
// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');
// The PDF source is in original.pdf
readfile('/home/user/goods/original.pdf');
?>
I'm trying figure out how I can protect digital downloads in PHP. Just need some general directions so I can start my research. I don't seem to be able to find anything useful.
I want to make files available for my users to download but don't want them to be able to directly access a download folder. Also, I want the download link to be available only for set period of time or a single download.
Could some one point me in the right direction?
The best way is to delegate the download managment after your check to the mod for apache
x_sendfile
https://tn123.org/mod_xsendfile/
Usage:
<?php
...
if ($user->isLoggedIn())
{
header("X-Sendfile: $path_to_somefile");
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"$somefile\"");
exit;
}
?>
<h1>Permission denied</h1>
<p>Login first!</p>
Basically when you send the header X-Sendfile the mod intercepts the file and manages the download for you (the file can be located whenever you want outside the virtualhost).
Otherwise you can just implement a simple file download.php that gets the id of the file and prints the contents with readfile after the login check
Just some examples: You can place your files outside of the webserver's document root or in a directory that is protected by a .htaccess file with a "deny from all" rule; then you deliver the files by a custom PHP function that sets the correct headers (mime-type, filesize etc.) and returns the file.
You could create links with unique id's based on MD5 or SHA1 hashes - a mod_rewrite rule points the id to your PHP file, you lookup the id in the database and do your time checks, like
example.com/downloads/73637/a8d157edafc60776d80b6141c877bc6b
is rewritten to
example.com/dl.php?id=a8d157edafc60776d80b6141c877bc6b&file=73637
Here's an example of doing something you want with nginx and PHP:
http://wiki.nginx.org/HttpSecureLinkModule
"Secure Download Links", a PHP Script can be used to hide download url or rename download file, it has option for storing below web root and for files stored above webroot that is with absolute http urls also.
I have a problem regarding to prevent download and saving of uploaded files.
My users can upload multiple files types like doc, pdf, ppt,etc....
This all file types are easily download if any one have url.
So what is the better way to prevent the download of the file.
Or i convert the uploaded files to some specific format which can not download easily (e.g flash)..
I am running on php and mysql.
Thanks
Avinash
You have two options in this regard. The first is to move the files, through a PHP script, to a server-side folder outside of the server's web directory. The second is to store the files in a BLOB column in a MySQL table. Both will prevent users from accessing the files directly, without the need to convert the file to a not-so-easily-downloaded format.
Upload the files outside of your document root. For example:
/var/username/uploads/file.docx
where your document root is
/var/username/public_html/index.php
So they can't be accessed directly. And then if you want to allow downloads, create a PHP file called "download.php" that does something similar to:
$data = file_get_contents('/var/username/uploads/file.docx');
header('Content-Type: application/docx');
header('Content-Length: '.strlen($data));
header('X-Content-Type-Options: nosniff');
echo $data;
and obviously you can add checks to see if the user has the proper permissions to download this particular file or is logged in.
A solution can be to set a user and a password to the upload folder, so only the users that know authentification details can download files.
Check next link for learn how to make htpasswd files on your server folders:
http://httpd.apache.org/docs/1.3/programs/htpasswd.html