For our application we need to store files above the root so they can be accessed by the streaming media software.
I successfully created a symlink from:
/var/www/vhosts/myhost.com.au/httpdocs/fileserver/videostream/
to:
/usr/local/MediaServer/content/
and PHP will happily process my raw video following that symlink to the real file above the root.
However, if I try
file_exists('/var/www/vhosts/myhost.com.au/httpdocs/fileserver/videostream/myfile.mp4')
I run into all sort of "open_basedir restriction in effect" errors.
Is there a way around this? or do I need to just assume that if my database entries are correct and say the file was processed, that it actually was.
Would trying fopen work any better or is there still the basedir restrictions?
We are on a dedicated host with root permission so we can do whatever is needed.
Thanks.
Found a workaround, but it doesn't solve the question :-)
I can actually use CURL to pull in the headers of the actual file and this lets me know whether it exists or not. Plus an additional method is to check the existence of the Streaming Media servers custom URL for that file using CURL. Problem solved, but not quite how I wanted it to be.
You should look into is_link instead of file_exists
If you just want to check if the link exists (and not that the link target exists to which you have no access anyway because of the basedir restrictions) you could use the readlink function instead of file_exists. If it returns a string then the link exists, if it returns false then the link most likely does not exist.
if (#readlink($filename) !== false)
{
echo "Yay!";
}
In theory the basedir restrictions shouldn't trigger here, but I don't know for sure.
Related
$path = 'http://fbcdn-profile-a.akamaihd.net/hprofile-ak-snc6/372096_100002534902767_1927052265_n.jpg';
$info = file_put_contents('new/angel.jpg', file_get_contents(urldecode($path)));
echo $info;
It works fine on localhost but it did not work on my website.
Any idea what the problem might be?
Check your logs for error messages
Does the folder ("new") exist?
Are permissions set to allow writing by scripts?
Are you sure the error is in file_put_contents? file_get_contents could fail if the host has disallowed url_fopen.
unless $path is actually hardcoded, you will probably introduce an arbitrary file disclosure security issue. Make sure you validate your input.
you need to give a permission (write ) to upload folder
you can do that by the FTP program by using this codes in numeric value :777
Make sure that there are write permissions to the file in which you are writing
I think the relative path is the problem. It can possible that your local has the path to that file but the path does not exists on server.
3.Please put a forward slash in line $info=file_put_contents('new/angel.jpg', file_get_contents(urldecode($path))); before your "new" folder and try i think this might be a problem
I have implemented a php website that has some users.
I want to manage their access to static files.
In addition, I have a function in a file permissions.php that gets a url (e.g. /images/secret.jpg) and checks the it's permission for the current logged in user.
I think I need to add something to .htaccess file that for every request, first call my function in permissions.php then serve the file if it returns true otherwise return 404.
How can I do that?
One way you can do this is to set the permissions for all the file to be protected, and use PHP to fetch the file and serve it by modifying the headers.. This way, you can check if the user has permission to the file, and if they have, the PHP code will fetch the file and serve it to them.
(Incidentally, there's an answer on the linked question that changes .htaccess. I prefer not mess with that myself).
Am I enforced in some way to use move_uploaded_file() and/or delete the temporary file?
My application needs only to load the file contents in memory (eg. via file_get_contents()). Do I need to move it to another directory before? Otherwise, am I required to delete it at the end of the script?
If you don't want to save the uploaded file somewhere, you don't need to use move_uploaded_file(). Read from the file however you like; it'll be deleted automatically by PHP at the end of the request.
Yes, in cases when open_basedir or safe mode (hopefully safe_mode will go out of style eventually) otherwise prevent you to read from the location the uploaded file was saved to. The move_uploaded_file() is aware of those restrictions but only enforce them to the second parameter, so you can move files out of lets say /tmp/ while otherwise you couldn't read that directory.
I want to allow users to put in am img url instead of uploading an image, the image would then go through my thumbnailing class.
Is file_put_contents the best method?
Yep, you can get the contents of a file given its url using file_get_contents, and then just write that to disk, or pass the contents to your thumbnail class to save. There might be safe_mode restrictions on this, but usually it's fine.
file_get_contents will work fine for pulling an external image.
Just bare in mind that some hosts put restrictions on fopen and fopen's wrappers (like file_get_contents and file_put_contents). These can be an all out block on fopen or restricting what it can access (like external files).
Beware of security implications!!! If you aren't careful, users will be able to put ARBITRARY STUFF on your server - including an evil PHP script, renamed as an image! All that they'll have to do to pwn your server when that's done is to rename the file to .php... Be careful.
On the current website I'm working on, I've got a directory of files for users to download which would be really nice to have some security method other than obscurity ;)
I was wondering if there's any way to supply login information via PHP to htaccess as though a user were entering it.
Alternately, if anyone knows a better way to secure user downloads using PHP, that's also acceptable. All of my googling turns up "just use htaccess" which isn't really helpful, as from the non-savvy user's point of view, they have to log in twice every time they use the website.
My best guess at doing it exclusively with PHP is to store files above the web root, then copy them to a web accessible folder temporarily, but this seems highly inefficient and I couldn't think up any way to remove them after the download has finished.
Note: I don't own the server this is running on and don't have ssh access to it.
If files are not too big (Gb) you can always use readfile for file's download. In this mode you can check user's auth before, and if it's ok output file contents to user, otherwise send him to login page.
With this method you can put your files in protected (with .htaccess) directory so you can be sure that nobody who isn't authenticated can access them.
I think I would either store them in a folder outside of the web root, or in a folder protected by .htaccess and then have a php script that checked if the user was logged in and allowed to download a file asked for. If he was, then just pass the file through to the user.
Example from linked page at php.net:
Example #1 Using fpassthru() with binary files
<?php
// open the file in a binary mode
$name = './img/ok.png';
$fp = fopen($name, 'rb');
// send the right headers
header("Content-Type: image/png");
header("Content-Length: " . filesize($name));
// dump the picture and stop the script
fpassthru($fp);
exit;
?>
Someone else made a comment about having to report the correct content-type, which is true. Often, in my own experience, I already know it, or can use the file extension pretty easily. Otherwise you can always try to have a look at finfo_file. On that page there are also some comments about what you could do especially for images as well.
you should use a php script to control the access.
create a dir outside the webroot or inside the webroot with a .htaccess where you location the download files.
outsite the webroot is better.
you have to make sure that no one can access those files if they are located inside.
then take from the pear class lib. the class http_download.
using this class has many advantages.
Ranges (partial downloads and resuming)
Basic caching capabilities
Basic throttling mechanism
On-the-fly gzip-compression
Delivery of on-the-fly generated archives through Archive_Tar and Archive_Zip
Sending of PgSQL LOBs without the need to read all data in prior to sending
you should not use readfile oder any forwarding filepointer because you have to set the headers yourself and the don't support http "range".
for the access restrictions you can use you session-manager, password, framework, forum etc.
pear - http_download http://pear.php.net/package/HTTP_Download
you need to copy the url, because SO encodes it to url-encoded string (which is correct), but PEAR-homepage doesn't like that.
Why reinvent the wheel? Take a look at File Thingy, which is pretty easy to install and customise. If nothing else, you can study the source to learn how to perform the authentication step.
You could use MySQL to store uploaded files, rather than storing them in a file, better and more secure, in my opinion. Just Google "MySQL upload php" for example.
You could create the htaccess file using a PHP script, from your users table, each time a user accesses that folder, very troublesome.
I think the first option is better.
Use X-SendFile! There's extensions for Apache, Lighty and Nginx so there's a good chance there's one for your webserver.
Once you have the extension installed, you can authenticate the user using your PHP script, and then add the header:
header('X-SendFile','/path/to/file');
When your PHP script is done, it will trigger the webserver to stream the file for you. This is especially efficient if you use PHP along with for example FastCGI, because it frees up the PHP process for other work.
Evert