I have to download .php file with php source code from a apache directory listing page. can anybody have such idea or experience????
You can either rename the file by choosing a different extension.
Or, you can remove the AddType attribute in IfModule related to your directory that defined .php extension.
You could use http://us3.php.net/highlight_file to set up a specific file that can print out the source for any file. If you look at the description section it also talks about how you can setup your server to automatically display the source if you have a file named .phps.
You should be able to figure out a solution that works for you with something like this.
If you absolutely need the file to download and not just display the source you could create a script that reads the file and presents it to the user as a plain text file download. That could be accomplished with a combination of http://php.net/manual/en/function.file-get-contents.php and http://us3.php.net/manual/en/function.header.php
You need to stream the file contents through another script:
download-file.php
<?php
$file = '/path/to/php-file.php';
header('Content-Type: application/x-httpd-php');
header(sprintf('Content-Disposition: attachment; filename=%s', basename($file)));
readfile($file);
Related
previously I could download wav file in php and IIS. But now file is not downloadable.I don't know what is going wrong . After installing and changeing php 5.3 to php 5.4 with php manager in IIS, the file is not able to downloaded. I have link to file to download it which looks like this:
Download
download.php scripts
<?php
$filename = $_GET['voice'];
$dir = 'd:/temp_file/voice/';
if(is_file($dir.$filename))
{
header('Content-type: audio/wav');
header('Content-Disposition: attachment; filename='".$filename.'"');
echo file_get_contents($dir.$filename);
}
?>
while I was trying to find the mistake why file is not downloadable, I remove if statement and run program, it does prompt window download file with audio player of empty wav file. So, I conclude that there is mistake in path which is not allowing to access file of another drive. I have php code in c:\inetpub\wwwroot\ but wav file to be download is in the d:\temp_file\voice path. What Should I have to do?
Maybe PHP open_basedir restriction.
Try to add d:/temp_file/voice/, to its content in php.ini.
Update
I never used IIS, but another thing that you have to check is if the IIS User have permission to read that directory. Try to add, just for test, Everyone with all permission to d:\temp_file\voice.
I don't know what is going wrong
Then enable error reporting, for what it looks like to me it's a syntax error at header('Content-Disposition: attachment; filename='".$filename.'"'), you're missing a quote (') after filename='". But since you say it has worked (and works without the if), I'd say that's a copy paste error.
Then do a var_dump($filename), which might contain quotes, since you put those around the URL in the link (<a href="download.php?voice='$filename'">). The file D:/temp_file/voice/'foo.wav' might not exist.
I'm trying figure out how I can protect digital downloads in PHP. Just need some general directions so I can start my research. I don't seem to be able to find anything useful.
I want to make files available for my users to download but don't want them to be able to directly access a download folder. Also, I want the download link to be available only for set period of time or a single download.
Could some one point me in the right direction?
The best way is to delegate the download managment after your check to the mod for apache
x_sendfile
https://tn123.org/mod_xsendfile/
Usage:
<?php
...
if ($user->isLoggedIn())
{
header("X-Sendfile: $path_to_somefile");
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"$somefile\"");
exit;
}
?>
<h1>Permission denied</h1>
<p>Login first!</p>
Basically when you send the header X-Sendfile the mod intercepts the file and manages the download for you (the file can be located whenever you want outside the virtualhost).
Otherwise you can just implement a simple file download.php that gets the id of the file and prints the contents with readfile after the login check
Just some examples: You can place your files outside of the webserver's document root or in a directory that is protected by a .htaccess file with a "deny from all" rule; then you deliver the files by a custom PHP function that sets the correct headers (mime-type, filesize etc.) and returns the file.
You could create links with unique id's based on MD5 or SHA1 hashes - a mod_rewrite rule points the id to your PHP file, you lookup the id in the database and do your time checks, like
example.com/downloads/73637/a8d157edafc60776d80b6141c877bc6b
is rewritten to
example.com/dl.php?id=a8d157edafc60776d80b6141c877bc6b&file=73637
Here's an example of doing something you want with nginx and PHP:
http://wiki.nginx.org/HttpSecureLinkModule
"Secure Download Links", a PHP Script can be used to hide download url or rename download file, it has option for storing below web root and for files stored above webroot that is with absolute http urls also.
I am working on a project which creates a KML File (just like an XML file, but used for Google Earth). Whats interesting is when I link to the newly created file, on my local machine, running XAMPP, the file is downloaded automatically, however when I move it to my web server (Linux, Fedora 8 on EC2) the link just loads the KML file in the browser as if it was an HTML file.
How can I force it to download the file instead of viewing it in the browser?
Here's how to link is displayed with PHP,
echo "<a href='$currentTime.kml'><img heigth=\"15px\" width=\"13px\" src=\"images/KML_Icon.gif\" /> Download</a>";
Any advice would help, thanks!
What you need to do is to specify the headers so the Browser knows what to do with the information that you are sending. So before you send anything to the browser you will need to specify the headers.
If you are linking to a specific file, then you will have to create a little "download manager" that will do this for you.
<?
header('Content-disposition: attachment; filename=the-name-you-want-them-to-see-in-their-download.pdf');
header('Content-type: text/xml'); //Since KML files are based on XML this is probably the best Content type to send to the user.
readfile('the-file-you-want-to-present')
?>
That should do it.
Thank you for your guys' input, but Oded had the answer regarding the mime types.
On the server there's a file called mime.types which didn't contain the mime type for a KML file, I added in
application/vnd.google-earth.kml+xml
And it now downloads the file instead of loading it in the browser, by the way apache needs to be restarted once you have made the changes.
I had this a long while ago, I used a method similar to this:
http://webdesign.about.com/od/php/ht/force_download.htm
I have a problem regarding to prevent download and saving of uploaded files.
My users can upload multiple files types like doc, pdf, ppt,etc....
This all file types are easily download if any one have url.
So what is the better way to prevent the download of the file.
Or i convert the uploaded files to some specific format which can not download easily (e.g flash)..
I am running on php and mysql.
Thanks
Avinash
You have two options in this regard. The first is to move the files, through a PHP script, to a server-side folder outside of the server's web directory. The second is to store the files in a BLOB column in a MySQL table. Both will prevent users from accessing the files directly, without the need to convert the file to a not-so-easily-downloaded format.
Upload the files outside of your document root. For example:
/var/username/uploads/file.docx
where your document root is
/var/username/public_html/index.php
So they can't be accessed directly. And then if you want to allow downloads, create a PHP file called "download.php" that does something similar to:
$data = file_get_contents('/var/username/uploads/file.docx');
header('Content-Type: application/docx');
header('Content-Length: '.strlen($data));
header('X-Content-Type-Options: nosniff');
echo $data;
and obviously you can add checks to see if the user has the proper permissions to download this particular file or is logged in.
A solution can be to set a user and a password to the upload folder, so only the users that know authentification details can download files.
Check next link for learn how to make htpasswd files on your server folders:
http://httpd.apache.org/docs/1.3/programs/htpasswd.html
I have a downloads directory on a website where I store a bunch of different files for people to download (zip, exe, java, php, etc). The problem is that my website is written in PHP, so the web server, Apache, tries to execute the scripts instead of letting people download them. Without having access to Apache config (I'm on shared hosting), what is the easiest way to prevent Apache from executing scripts in a single directory?
I tried using mod_mime unsuccessfully. AddType doesn't work because (I'm guessing) a MIME type is already associated with PHP scripts. ForceType doesn't work because I store different types of files in the directory. Are there any other options?
If you have sufficient permissions for that, putting the following line in a .htaccess file in the directory in which you don't want PHP script to be executed might do the trick :
php_flag engine off
(Just tested on my webserver, and I got the source of a PHP script -- which had not been executed)
You could write a separate PHP script which sends the right Content-type header and then uses readfile() to pass through the contents of the PHP file without PHP actually executing them (and since Apache already passed off the request to PHP, it no longer cares). Just make sure you restrict it to only serving things out of that directory.
I think the common solution to this is to give files the extension phps.
I think I have the solution for you. Check this out:
http://www.boutell.com/newfaq/creating/forcedownload.html
Basically, it says that you should have the following code in your php page:
<?php
header('Content-disposition: attachment; filename=whatever.php');
header('Content-type: text/html');
readfile('whatever.php');
?>
I made a sample here:
http://sotkra.com/test.php
This forces the 'download' file prompt where the file download is the whatever.php
Cheers
You should have a download gateway script, such as download.php. It should take a query string argument which lists the file that needs downloaded.
That argument should be matched against a pre-existing ARRAY of accessible files (big security point there).
Then use:
<?php
$file = trim(isset($_GET['file']) ? $_GET['file'] : '');
$allow = array(
'foo.php' => 'text/plain',
'foo.jpg' => 'image/jpeg',
);
if(! isset($allow[$file]))
die('File not found.');
header('Content-Type: ' . $allow[$file]);
readfile($file);