Help!!!
i want to upload a file from database(or from local m/c) to server in php without user interface. Is it possible.
Please Suggest.
Since you mention Ajax I assume you mean you want to upload it using JavaScript running in a web browser (and the server side component happens to use PHP).
This is impossible in the normal browser security context.
Users must explicitly select files to upload (otherwise webpages could go around stealing all sorts of private files behind users backs).
Users cannot do this without a user interface.
You could try curl from the command line:
curl --upload-file your.file.txt http://example.com/upload.php
Related
Background info:
I am working on a website which will provide image and video content via a subscription service. That is, users should ONLY have access to the image and video content so long as they are logged in successfully. (Note: the log in system uses a combination of MySQL DB - to store the username and password - and php to create new user sessions / authentication etc.)
The problem:
How do I stop a user (logged in or not) from directly accessing the image and video files? For example, a user who is not logged in could access the file directly as follows: www.domain.com/testvideo.mp4 - this would render the video content in the browser for them to watch or share with others. (NOTE: I still need to be able to use / display the image and video files on-site via HTML, CSS, PHP etc)
I have tried several .htaccess solutions (including: RewriteCond/RewriteRule & .htpassword) which have successfully prevented direct access BUT have prevented the ability to use the files on-site via HTML, CSS, PHP etc.
I was thinking that this must be a very common problem and if so, what the best way to resolve it was?
It is a pretty common problem with a pretty common solution. In order to force access control you have to invoke a PHP script before serving the file and verify the credentials. Then, if the credentials are valid, serve the actual file.
You may be tempted to serve the file directly from PHP script using something like readfile. This is going to kill your server performance and break download resuming for the client.
Luckily there is a solution, when you can hand over the actual file serving back to the web-server.
This works as following:
The web-server receives the request to /file.mp4.
According to the rewrite rules you've set up it directs it to your PHP script /serve.php instead.
Your script verifies the credentials, e.g. something from the session or cookies.
If the credentials are valid, the script issues specially crafted header. It tells the web-server to actually serve the static file. If not, you may as well output a 403 HTTP code.
The example script can be something like:
$file = '/tmp/file.mp4'; // it is in your best interest to make this file inaccessible for a direct download
header('X-Sendfile: ' . $file);
header('Content-Type: ' . contentType($file));
header('Content-Disposition: inline;');
In order for this to work you'll have to have mod_xsendfile (https://tn123.org/mod_xsendfile/) installed on your Apache, which is probably already the case for your hoster. You'll also have to drop in some lines to configure it and setup a proper rewrite.
You can fine a lot of stuff on Google by issuing "mod_xsendfile php", which might also help a great deal.
Hope that makes sense!
You cannot avoid that as long as your files are publicly available.
The most common way is to not serve the files directly, but to serve them through php so that you can check the users access before you serve the file. And the files can then reside anywhere on the server where the web-server user (www, apache, etc.) has access but the visitor hasn't.
Check the examples in the php manual on readfile and header to see how you can serve a file through php. You will find lots of examples here on SO as well.
So I'm a bit confused about what crafty users can and can't see on a site.
If I have a file with a bunch of php script, the user cant see it just by clicking "view source." But is there a way they can "download" the entire page including the php?
If permission settings should pages be set to, if there is php script that must execute on load but that I dont want anyone to see?
Thanks
2 steps.
Step 1: So long as your PHP is being processed properly this is nothing to worry about...do that.
Step 2: As an insurance measure move the majority of your PHP code outside of the Web server directory and then just include it from the PHP files that are in the directory. PHP will include on the file system and therefore have access to the files, but the Web server will not. On the off chance that the Web server gets messed up and serves your raw PHP code (happened to Facebook at one point), the user won't see anything but a reference to a file they can't access.
PHP files are processed by the server before being sent to your web browser. That is, the actual PHP code, comments, etc. cannot be seen by the client. For someone to access your php files, they have to hack into your server through FTP or SSH or something similar, and you have bigger problems than just your PHP.
It depends entirely on your web server and its configuration. It's the web server's job to take a url and decide whether to run a script or send back a file. Commonly, the suffix of a filename, file's directory, or the file's permission attributes in the filesystem are used to make this decision.
PHP is a server side scripting language that is executed on server. There is no way it can be accessed client side.
If PHP is enabled, and if the programs are well tagged, none of the PHP code will go past your web server. To make things further secure, disable directory browsing, and put an empty index.php or index.html in all the folders.
Ensure that you adhere to secure coding practices too. There are quite a number of articles in the web. Here is one http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
i am facing the problem in coping the images from one folder to another . It is possible through JS means please guide me, i had the image path (eg : C:\Program Files\xampp\htdocs\gallary\images\addnew.gif ) just i want to copy the images to another folder using js .thanks in advance.
You cannot use javascript to do this within the web browser. Javascript can only execute code in the browser of the person viewing the web page, not on the web server. Even then, javascript is "sandboxed" for security so it cannot access the users files, etc. Imagine the privacy problems if every webpage you visited had access to your My Documents folder!
PHP, however, can do this on the web server (I assume you have PHP instaled because you have XAMPP in the path to your image). The relevant PHP function is copy:
bool copy ( string $source , string $dest [, resource $context ] )
In your case, you probably want to call it like this:
success = copy('C:\\Program Files\\xampp\\htdocs\\gallary\\images\\addnew.gif', 'C:\\images\\addnew.gif')
if (!success){
echo "Could not copy!"
}
The simplest way to trigger this file copy is when a PHP web page is loaded. However, if you want to trigger this file-copy via javascript, you might want to look into using an AJAX style technique, where a javascript event sends an HTTP request to your web-server in the background. The web-server can then do the file copy in PHP. If you do take this approach, I would recommend that you:
Use a javascript API like jQuery which has built in functions to make this easier.
Be very very careful about security. You don't want someone snooping around on your website to be able to delete or copy arbitrary files.
You could use MS JScript http://msdn.microsoft.com/en-us/library/e1wf9e7w(VS.85).aspx
fso = new ActiveXObject("Scripting.FileSystemObject");
fso.CopyFile ("c:\\mydocuments\\letters\\*.doc", "c:\\tempfolder\\")
this can't be done from a browser, but you can run it in windows (using the windows script host) directly. You could also do it with node.js (server side javascript) which would be a more cross platform way. If you're trying to do it from in the browser on the client side it is not possible from any language for obvious security reasons.
I'm using CURL to upload files to a service.
currently I'm getting the file content with $GLOBALS["HTTP_RAW_POST_DATA"] then save it on my server.
after that, I'm using CURLOPT_POSTFIELDS with the file's full path.
Is there a way to send the file content directly, without saving it on my server, as if I saved it?
Or is there a way to upload a Photo from a flash app to facebook album, without saving it on the server?
Thanks
If you are uploading data you might consider using the file upload mechanism in PHP http://php.net/manual/en/features.file-upload.php It automatically handls file upload PHP.
If you want to redirect the upload to another (third party service) without needing to be in the chain of commands (i.e. user->3rd party server), you might want to look into AJAX. AFAIK when you upload a file using PHP/forms the file will be uploaded to your PHP temp directory and there is no way to prevent this because:
1. To access the file it needs to be on the server (PHP is server execute meaning it can not execute on the user side)
2. I do not believe any user will want you to access their files on their computer nor will you be able to do so(Firewall, AV), if that were to happen it will be a major security issue
As I said above, what you want to look into is AJAX (I used jquery and their AJAX methods are very simple). Because AJAX is user execute javascript it can run on the machine and initiate a connection to any URL. This way you can directly access the service without submitting the file to your server.
Here is an exmaple AJAX upload (you can google for more):
http://valums.com/ajax-upload/
Hope this helps
I have a file where i m able to generate the pdf, but i want the path to be users desktop which would save it automatically.
$pdf->Output("sample.pdf");
What should be path.
No matter what you have server side you won't be able to automatically save a file on a user's system via their browser with no interaction from them as that would be a massive security hole. The user will always have to confirm the save of a file.
For similar reasons you won't be able to query the directory structure of a User's system via the browser, and even if you could I don't think you can give a browser a suggested directory in which to save something.
You can't do that with PHP. PHP runs on your server, not on your user's desktop. You probably want to store the file somewhere on the server, and then show the user a link to download the generated file.
Unless of course, you're talking about running PHP locally on your user's computer (i.e. apache or some other webserver is installed on your user's computer, in which case please clarify your question.
Assuming your php script is running as a client-side app through the Command Line Interface or PHP-GTK, you should first check if the system it runs on actually is a Win32 type machine.
Next you'd need to use the Windows Only Extensions to invoke the native Win32 API Function call returning a well-known location such as user's desktop folder, that is SHGetFolderPath() with a CSIDL_DESKTOP as a second parameter.
If however your script runs on a server, there's no way to put the file on user's desktop directly without her actually being instructed to do so.
You should output the PDF to the browser and provide the appropriate headers to have the file be recognised as PDF (or merely as downloadable to force a download). Also make sure not to output anything other than the PDF as that might corrupt the file.
EDIT: Note that if you use a webbrowser it is, for security reasons, not possible to FORCE an automatic download. You can only prompt a download, not activate it.
If you're talking about a PHP script (e.g. on a Linux workstation), you probably want to do something completely different. If the PDF library doesn't let you specify a path, do the same you would do in a web browser sans the headers and use an output buffer to catch the output and write it to a file -- if you run the script directly, it'll have the necessary privileges to write to your home directory.