I am using php and i have written codes to allow a user upload a file. For testing purposes, i have saved the file to D:/final/temp/test.xls. Then i generate another file and save it to the same location. This file can be downloaded by the user.
But if an actual user would be using my application,
where should the location point to? Thanks!
You need to upload the file to a directory which is being served by your web server. You have 3 options:
Find the directory where your PHP files are being served and save the files to that location, or a directory underneath.
In your web server config, map the D:/final/temp/ directory to a website or virtual directory.
Create a PHP file that reads the file from the D:/final/temp directory and serves it to the end user. This option is trickier to setup and has more gotchas in terms of performance.
The location which you upload to needs to have write permissions, and the web server also needs to be able to read files from this location.
Related
I understand the security flaw in the following situation:
User uploads filemanager.php and my script moves it to the web accessible uploads folder. User then visits http://example.com/uploads/filemanager.php and has access to my files.
However, if the uploads folder is stored outside of the publicly accessible web folder (i.e. /var/uploads) and the files are never served directly, is it safe to allow any file?
For example to download, the user would go to http://example.com/download.php?id=123 and PHP would look up the file location assosciated with the ID, then directly output the contents of the file as a download (setting headers to force a download and then using readfile())
I understand that viruses could be uploaded, etc. but would the server itself be protected from dangerous files this way?
I have a recursive function which generates about 200.txt files. I am running this application on a local server.
Basically, the front end just has a file upload field, which you just choose a .csv, which it then generates all the .txt files from that, but rather than saving them on the wamp server, is it possible to save them in a specific location?
Example, if I put another field in my front end called 'fileLocation', and the user types in the pathname.
Obviously i'd have to check if it's a directory etc, but is this possible to say save all the files on:
/Volumes/computer/Users/username/Desktop/test/
I'm not sure where to proceed with this.
No, is not possible to access computer files this way by using a localhost. You could zip all files and make the browser download them. Like is described here
I'm php programer and familiar to secur file upload such as:
1- Do not place the .htaccess file in the same directory where the uploaded files will be stored. It should be placed in the parent directory.
2-If possible, upload the files in a directory outside the server root.
3-Prevent overwriting of existing files (to prevent the .htaccess overwrite attack).
4-Create a list of accepted mime-types (map extensions from these mime types).
5-Generate a random file name and add the previously generated extension.
6-Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.
8-check mime type and file name and extevtion of file, also store hash of file and..... and other tips base on this links:
1-http://www.acunetix.com/websitesecurity/upload-forms-threat/
2-https://www.owasp.org/index.php/Unrestricted_File_Upload
but I have web site that users can upload mal file or exe file To the experts examine the file .also confidentiality of files is important.
so this file have two restriction: 1- users can upload mal file or exe file 2-theese file are secret and should have good protection i storage(To maintain confidentiality)
my solution is:
1- I force users to send the zip file .and the program pload the files in a directory outside the server root.. This restriction is sufficient?
2- To maintain confidentiality of files.how can store some section of file in database and other section in the file system stored on the file system. In order to , if the hacker compromise the server will not be able to abtain hole file data?
1- I force users to send the zip file .and the program pload the files in a directory outside the server root.. This restriction is sufficient?
How would you enforce this? Checking the file extension? Trusting user-provided headers? Parsing the file and guessing its MIME type?
2- To maintain confidentiality of files.how can store some section of file in database and other section in the file system stored on the file system. In order to , if the hacker compromise the server will not be able to abtain hole file data?
This won't buy you much. If an attacker can compromise your systems, they can get the database password from the same disk as half the file, and thereby recover the whole file.
A much better idea would be to pass the files' contents to a separate server (e.g. an Amazon S3 bucket) and serve your files from a different domain name.
but I have web site that users can upload mal file or exe file To the experts examine the file .also confidentiality of files is important.
Is this for someting like VirusTotal?
I have a 2.5GB file that I want to allow users to download after they buy it. I originally planned on hiding the file and then just using readfile to dump the file's contents with .zip headers but my GoDaddy server apparently won't allow me to use readfile on such a large file, so I'm stuck with changing the name of this important file every hour. But if someone can just list all the files on my www folder anyway then people can take it without paying for it.
Any suggestions?
As long as you don't allow indexing of the directory then they can't obtain a file listing. To do that create a .htaccess file in the directory and add:
Options -Indexes
Alternatively, if the folder has an index page this will also prevent the server disclosing a directory listing and instead serve the index page.
if you have more than 5 gig host so use the php exec command to copy your file with another name
let say you keep your file with a unguessable name in a unguessable folder
so whenever the buyer confirm the order then you copy the file to a known folder with user-generated name, then pass the link to user
if your host is linux then use cp command if it's windows use copy
use something like cp oldname.ext newname.ext or copy oldname.ext newname.ext
after a certain time you will delete the file in the known folder
I'm trying to list all files (. DOC and. PDF) contained in a specific Web directory.
The problem is that I do not have access. I can only download with the full path of the file.
Example:
Directory 1: http://xxx.example.com/uploads/local20/40
Files:
45677.pdf
54354.doc
65767.doc
54354.pdf
43243.pdf
...
Directory 2: http://xxx.example.com/uploads/local20/41
Files:
45453.pdf
67566.pdf
89798.pdf
89898.doc
52254.pdf
...
I can manually download the files of directory 40 and 41, because I know your path, then
write:
http://xxx.example.com/uploads/local20/40/65767.doc (Download -> OK)
But how to download all the files contained in this directory without knowing the names of files? Or at least list the names of all files.
Obs 1: When I type only the directory (without the name of the file) it returns me an error in XML format. Ex: http://xxx.example.com/uploads/local20/40/
Response: XML Error
...
NoSuchKey
...
Obs2: The Web application use the PHP language.
In order to have the files in a folder listed out in html format when you browse to that folder with a web browser, you'll have to turn on directory browsing in your Apache configuration and make sure you don't have a default page (eg. index.php) in that folder. Don't forget to restart Apache after making the change.
BTW: If this is a folder where files can be uploaded, it really shouldn't be directly publicly accesible because you'll have a pretty major security vulnerability on your hands. Someone can upload a malicious PHP script and then run it by simply hitting the URL in a browser.