I want to monitor how often some external images are loaded.
So my idea is instead of giving a uri directly like this:
www.site.com/image1.jpg
I can create a PHP script which reads the image, so I built a PHP file and my HTML would look like this:
<img src="www.site.com/serveImage.php?img=image1.jpg">
but I don't know how to read the image from disk and return it. Would I return a byte array or set the content type?
Kind regards,
Michel
Sending images through a script is nice for other things like resizing and caching on demand.
As answered by Pascal MARTIN the function readfile and these headers are the requirements:
Content-Type
The mime type of this content
Example: header('Content-Type: image/gif');
See the function mime_content_type
Types
image/gif
image/jpeg
image/png
But beside the obvious content-type you should also look at other headers such as:
Content-Length
The length of the response body in octets (8-bit bytes)
Example: header('Content-Length: 348');
See the function filesize
Allows the connectio to be better used.
Last-Modified
The last modified date for the requested object, in RFC 2822 format
Example: header('Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT');
See the function filemtime and date to format it into the required RFC 2822 format
Example: header('Last-Modified: '.date(DATE_RFC2822, filemtime($filename)));
You can exit the script after sending a 304 if the file modified time is the same.
status code
Example: header("HTTP/1.1 304 Not Modified");
you can exit now and not send the image one more time
For last modified time, look for this in $_SERVER
If-Modified-Since
Allows a 304 Not Modified to be returned if content is unchanged
Example: If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT
Is in $_SERVER with the key http_if_modified_since
List of HTTP header responses
To achieve something like this, your script will need to :
send the right headers, which depend on the type of the image : image/gif, image/png, image/jpeg, ...
send the data of the image
making sure nothing else is sent (no white space, no nothing)
This is done with the header function, with some code like this :
header("Content-type: image/gif");
Or
header("Content-type: image/jpeg");
or whatever, depending on the type of the image.
To send the data of the image, you can use the readfile function :
Reads a file and writes it to the
output buffer.
This way, in one function, you both read the file, and output its content.
As a sidenote :
you must put some security in place, to ensure users can't request anything they want via your script : you must make sure it only serves images, from the directory you expect ; nothing like serveImage.php?file=/etc/passwd should be OK, for instance.
If you're just willing to get the number of times a file was loaded each day, parsing Apache's log file might be a good idea (via a batch run by cron each day at 00:05, that parses the log of the day before, for instance) ; you won't have real-time statistics, but it will require less resources on your server (no PHP to serve static files)
I use the "passthru" function to call "cat" command, like this:
header('Content-type: image/jpeg');
passthru('cat /path/to/image/file.jpg');
Works on Linux. Saves resources.
You must set the content type:
header("Content-type: image/jpeg");
Then you load the image and output it like this:
$image=imagecreatefromjpeg($_GET['img']);
imagejpeg($image);
Instead of changing the direct image url in the HTML, you can put a line in the Apache configuration or .htaccess to rewrite all the requests of images in a directory to a php script. Then in that script you can make use of the request headers and the $_server array to process the request and serve the file.
First in your .htaccess:
RewriteRule ^(.*)\.jpg$ serve.php [NC]
RewriteRule ^(.*)\.jpeg$ serve.php [NC]
RewriteRule ^(.*)\.png$ serve.php [NC]
RewriteRule ^(.*)\.gif$ serve.php [NC]
RewriteRule ^(.*)\.bmp$ serve.php [NC]
The script serve.php must be in the same directory as .htaccess. You will probably write something like this:
<?php
$filepath=$_SERVER['REQUEST_URI'];
$filepath='.'.$filepath;
if (file_exists($filepath))
{
touch($filepath,filemtime($filepath),time()); // this will just record the time of access in file inode. you can write your own code to do whatever
$path_parts=pathinfo($filepath);
switch(strtolower($path_parts['extension']))
{
case "gif":
header("Content-type: image/gif");
break;
case "jpg":
case "jpeg":
header("Content-type: image/jpeg");
break;
case "png":
header("Content-type: image/png");
break;
case "bmp":
header("Content-type: image/bmp");
break;
}
header("Accept-Ranges: bytes");
header('Content-Length: ' . filesize($filepath));
header("Last-Modified: Fri, 03 Mar 2004 06:32:31 GMT");
readfile($filepath);
}
else
{
header( "HTTP/1.0 404 Not Found");
header("Content-type: image/jpeg");
header('Content-Length: ' . filesize("404_files.jpg"));
header("Accept-Ranges: bytes");
header("Last-Modified: Fri, 03 Mar 2004 06:32:31 GMT");
readfile("404_files.jpg");
}
/*
By Samer Mhana
www.dorar-aliraq.net
*/
?>
(This script can be improved!)
Also, if you want to the user to see a real filename instead of your scriptname when the user RMC's on the image and selects "Save As", you'll need to also set this header:
header('Content-Disposition: filename=$filename');
You're probably better off examining your server access logs for this. Running all images through php might put a bit of load on your server.
I serve my images with readfile as well, but I have gone the extra mile both for security and extra functionality.
I have a database set up which stores the image id, its dimensions and file extension. This also means that images need to be uploaded (allowing optional resizing), so I only use the system for content and not images needed for the website itself (like backgrounds or sprites).
It also does a very good job at making sure you can only request images.
So, for serving the simplified workflow would be like this (cannot post production code here):
1) get the ID of the requested image
2) Look it up in the database
3) Throw headers based on the extension ("jpg" gets remapped to "jpeg" on upload)
4) readfile("/images/$id.$extension");
5) Optionally, protect /images/ dir so it cannot be indexed (not a problem in my own system as it maps URLS like /image/view/11 to something like /index.php?module=image&action=view&id=11)
There are a lot of good answers above, but none of them provide working code that you can use in your PHP app. I've set mine up so that I lookup the name of the image in a database table based off a different identifier. The client never sets the name of the file to download as this is a security risk.
Once the image name is found, I explode it to obtain the extension. This is important to know what type of header to serve based off the image type (i.e. png, jpg, jpeg, gif, etc.). I use a switch to do this for security reasons and to convert jpg -> jpeg for the proper header name. I've included a few additional headers in my code that ensure the file is not cached, that revalidation is required, to change the name (otherwise it will be the name of the script that is called), and finally to read the file from the server and transmit it.
I like this method since it never exposes the directory or actual file name. Be sure you authenticate the user before running the script if you are trying to do this securely.
$temp = explode('.', $image_filename);
$extension = end($temp); // jpg, jpeg, gif, png - add other flavors based off your use case
switch ($extension) {
case "jpg":
header('Content-type: image/jpeg');
break;
case "jpeg":
case "gif":
case "png":
header('Content-type: image/'.$extension);
break;
default:
die; // avoid security issues with prohibited extensions
}
header('Content-Disposition: filename=photo.'.$extension);
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
readfile('../SECURE_DIRECTORY/'.$image_filename);
PHP 8 lets you use the match feature, which will further optimize the code by getting rid of the switch and ugly looking nested cases.
Related
I'm sure this is a simple task, but on my wordpress site I want to create a download button that forces an .mp3 download, without opening a player (when left clicked), or the user having to right-click 'save target as'. I just need a straight forward button, that when left-clicked causes a file to be downloaded (as well as being easily trackable by Google Analytics).
Is a .php script required for this? You'd think this would be a very common function, and easy to solve....but I have spent hours on this and have been unable to get anything to work.
*if it's not obvious my coding skills are nearly non-existent.
I really appreciate anybody's time who can help me figure this out. Thanks!
***EDIT
Just found this on another post, but no comments if it would work or not. It was for a .pdf file though...
<?php
if (isset($_GET['file'])) {
$file = $_GET['file'] ;
if (file_exists($file) && is_readable($file) && preg_match('/\.pdf$/',$file)) {
header('Content-type: application/pdf');
header("Content-Disposition: attachment; filename=\"$file\"");
readfile($file);
}
} else {
header("HTTP/1.0 404 Not Found");
echo "<h1>Error 404: File Not Found: <br /><em>$file</em></h1>";
}
?>
Save the above as download.php
Save this little snippet as a PHP file somewhere on your server and you can use it to make a file download in the browser, rather than display directly. If you want to serve files other than PDF, remove or edit line 5.
You can use it like so:
Add the following link to your HTML file.
Download the cool PDF.
Well, this is possible, but you need to write a script to do it. This is a pretty poor (security and basic coding wise) from http://youngdigitalgroup.com.au/tutorial-force-download-mp3-file-streaming/
file: downloadit.php
<?php
header ("Content-type: octet/stream");
header ("Content-disposition: attachment; filename=".$file.";");
header ("Content-Length: ".filesize($file));
readfile($file);
exit;
?>
you would then place it into a publicly accessible folder and build your links as such:
http://www.yoursite.com/downloadit.php?file=/uploads/dir/file.mp3
what this does is tells the browser to treat the file as a stream of bytes, rather than a particular MIME type which the browser would ordinarily do based on the file extension.
I'm semi-new to PHP and I'm starting to dive into file downloading. I create .xlsx and .csv files using PHPExcel and place them in a temp directory to be downloaded. I found a nice script for doing the download and I added some tweaks to it that I needed. The script is below. I've already read these posts:
Secure file download in PHP, deny user without permission
...and...
Secure files for download
...and...
http://www.richnetapps.com/the-right-way-to-handle-file-downloads-in-php/
download.php
<?php
/*====================
START: Security Checks
====================*/
//(1) Make user it's an authenicated/signed in user with permissions to do this action.
require("lib_protected_page.php");
//(2) Make sure they can ONLY download .xlsx and .csv files
$ext = pathinfo($_GET['file'], PATHINFO_EXTENSION);
if($ext != 'xlsx' && $ext != 'csv') die('Permission Denied.');
//(3) Make sure they can ONLY download files from the tempFiles directory
$file = 'tempFiles/'.$_GET['file'];
//ABOUT ITEM 3 - I still need to change this per this post I found....
/*
http://www.richnetapps.com/the-right-way-to-handle-file-downloads-in-php/
You might think you’re being extra clever by doing something like
$mypath = '/mysecretpath/' . $_GET['file'];
but an attacker can use relative paths to evade that.
What you must do – always – is sanitize the input. Accept only file names, like this:
$path_parts = pathinfo($_GET['file']);
$file_name = $path_parts['basename'];
$file_path = '/mysecretpath/' . $file_name;
And work only with the file name and add the path to it youserlf.
Even better would be to accept only numeric IDs and get the file path and name from a
database (or even a text file or key=>value array if it’s something that doesn’t change
often). Anything is better than blindly accept requests.
If you need to restrict access to a file, you should generate encrypted, one-time IDs, so you can be sure a generated path can be used only once.
*/
/*====================
END: Security Checks
====================*/
download_file($file);
function download_file( $fullPath )
{
// Must be fresh start
if( headers_sent() ) die('Headers Sent');
// Required for some browsers
if(ini_get('zlib.output_compression'))
ini_set('zlib.output_compression', 'Off');
// File Exists?
if( file_exists($fullPath) )
{
// Parse Info / Get Extension
$fsize = filesize($fullPath);
$path_parts = pathinfo($fullPath);
$ext = strtolower($path_parts["extension"]);
// Determine Content Type
switch ($ext) {
case "pdf": $ctype="text/csv"; break;
case "pdf": $ctype="application/pdf"; break;
case "exe": $ctype="application/octet-stream"; break;
case "zip": $ctype="application/zip"; break;
case "doc": $ctype="application/msword"; break;
case "xls": $ctype="application/vnd.ms-excel"; break;
case "xlsx": $ctype="application/vnd.ms-excel"; break;
case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
case "gif": $ctype="image/gif"; break;
case "png": $ctype="image/png"; break;
case "jpeg":
case "jpg": $ctype="image/jpg"; break;
default: $ctype="application/force-download";
}
header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
//Now, the use of Cache-Control is wrong in this case, especially to both values set to zero, according to Microsoft, but it works in IE6 and IE7 and later ignores it so no harm done.
header("Cache-Control: private",false); // required for certain browsers
header("Content-Type: $ctype");
header("Content-Disposition: attachment; filename=\"".basename($fullPath)."\";" );
//Note: the quotes in the filename are required in case the file may contain spaces.
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".$fsize);
ob_clean();
flush();
readfile( $fullPath );
}
else
die('File Not Found');
}
?>
My questions are...
Are my security checks enough? I only want authenticated users with proper permissions to be able to download .xlsx and .csv files from only the tempFiles directory. But I've read that download-able files should be outside the webroot, why? With these checks I don't see why that would matter?
The tempFiles directory is forbidden if you type it in on the address bar (www.mySite.com/tempFiles), but if the user somehow guesses a filename (which would be difficult, they are long and unique) then they could type that in on the address bar and get the file (www.mySite.com/tempFiles/iGuessedIt012345.csv). So is there a way to not allow that (I'm running Apache), so they are forced to go through my script (download.php)?
Thank you! Security is my number 1 concern so I want to learn every little thing I can about this before going live. Some of the example download scripts I've seen literally would let you pass in a php filename thus allowing people to steal your source code. FYI, I do clean up the tempFiles directory fairly regularly. Just leaving files there forever would be a security issue.
Another option is to generate file content, not saving it on server but push that content to client browser with proper headers so client browser can interpret it as file to download. In the end client got his file without accessing your tmp folder and you don't have to worry about cleaning tmp, it's secure because you are not saving anything on your server, "data that you don't have cannot be stolen".
Example for pdf:
....
$content = $MyPDFCreator->getContent();
header('Content-Type: application/pdf');
header('Content-Length: '.strlen( $content ));
header('Content-disposition: inline; filename="downloadme.pdf"');
header('Cache-Control: public, must-revalidate, max-age=0');
header('Pragma: public');
header('Expires: Sat, 26 Jul 1997 05:00:00 GMT');
header('Last-Modified: '.gmdate('D, d M Y H:i:s').' GMT');
echo $content;
I suggest that you should not let the user request a file by providing with a full path.
Filter the 'file' parameters. Make sure it doesn't start with dots, to avoid people requesting relative path to other files.
In your line:
$file = 'tempFiles/'.$_GET['file'];
if the user is requesting the file "../../var/www/my-site/index.php" for exemple, the value of your $file variable will become the path to the index.php file, given that your tempfiles/ directory is located two level deeper than your/var/www.
This is just an example, you should get the idea.
So the most important thing in my humble opinion is to filter the file parameter received. You can check for the presence of two dots (..) in the file parameters this way:
if (strpos($GET['file'], "..") !== false) {
// file parameters contains ..
}
If, as suggested by Ashish, you can develop populate a database table with a token associated to a file and a user, then you could increment the number of time that user requests the file. After a certain amount of download, you could then deny the download request.
This approach let you keep a certain control over the downloads of file, while still giving your user some flexibility, for example if the user is accessing your web application from different location/devices and need to download the same file a few time.
Having your files in the webroot will allow visitors to directly access your files (as they can 'run' anything in the webroot - within reason). What would be best would to have this kind of set-up, or one like it;
/var
/www
/html
/my-site
index.php
download.php
...
/tmpFiles
iGuessedIt012345.csv
This way - with some configuration - the outside world can't get to tmpFiles/.
This would also allow you to do your checks for authenticated users with correct permissions in download.php
Another way in which you could keep them out of the tmpFiles/ directory would to have a .htaccess file in that directory, with the following;
deny from all
This will yield a 403 Forbidden message to anything who'd tried to access that directory.
I think you should provide a unique url with a temporary token to download the file. This token should be one time use token. Once the user have used that token it should be invalidated and if user want to download the file he need to regenerate the download link with only provided and authenticated way.
For example you can give a url like:
http://www.somedomain.com/download.php?one_time_token=<some one time token>
Once the url is visited, you should invalidate the given token.
I think using this token method you can secure your file download process.
For the file location You should avoid storing files on public accessible places. You should store files at some other place in you system and read you file from there only.
An authenticated user can access a page(download.php) where he can view files in tempFiles
Set .htaccess to "deny from all" in tempFiles so noone can directly access, then in download.php every file should be downloadable with a token, as sad by Ashish Awasthi
If you don't like tokens you can do something like download?file=iGuessedIt012345.csv, but if you do this way use a whitelist regex to check if is everything right!
example:
$var="iGuessedIt012345.csv";
if (preg_match('#^[[:alnum:]]+\.csv$#i', $var)){
echo "ok";
}else{
echo "bad request";
}
example2:
$var="iGuessed_It-012345.csv";
if (preg_match('#^[a-zA-Z0-9\-\_]+\.csv$#i', $var)){
echo "ok";
}else{
echo "bad request";
}
I'm in the process of developing a PHP webpage that constructs a .SVG file from a SQL database on the fly, embeds it in the page, and enables a user to interact with it. These temporary files take on the form SVG[RandomNumber].svg and the unlink function successfully deletes the files with no error messages.
Here's the problem: I assumed that if I invoked the unlink function after the SVG file had loaded for the user, the webpage would be unaffected since the user's browser would have cached the file or whatnot. Everything works perfectly when no unlink command is present in the code; however, 'unlinking' anywhere -- even at the end of the webpage, causes no object to show at all. In Firefox there's no trace of the object, and in IE I receive the error "The webpage cannot be found."
So have I deleted the file before the browser uploads it? What's the best way to deal with the general situation?
Thank you.
It might be useful to change workflow and don't create temporaries. When image is used only once or it's generation is not a big deal you can try to generate it on-the-fly in following fashion
<?php
// We'll be outputting a SVG
header('Content-type: Content-Type: image/svg+xml');
// It will be called image.svg
header('Content-Disposition: attachment; filename="image.svg"');
// Don't cache
header("Cache-Control: no-cache, must-revalidate");
header("Expires: " . date("D, j M Y H:i:s"));
// The PDF source is in original.pdf
generate_svg_from_db('image.svg');
?>
THE EXAMPLE
1) User enters in a playlist in a <textarea>
C:/music/foo.mp3
C:/music/bar.mp3
C:/music/hello.mp3
2) They click a save button. I send the user's playlist to the server with AJAX.
3) The server formats the text with PHP in this fashion:
<playlist>
<item>C:/music/foo.mp3</item>
<item>C:/music/bar.mp3</item>
<item>C:/music/hello.mp3</item>
</playlist>
4) A file save dialog pops up asking the user to save this formatted text as playlist.m3u on their own harddrive.
QUESTIONS
A) Is it possible to not write a file to the harddrive on the server when generating this m3u file? I don't want millions of files clogging up my server. I suppose PHP can echo out the formatted text and set headers to masquerade as a file.
B) How do I get the file save dialog to pop up for this on-the-fly file? If it were a real file, I would just have the PHP respond back with the location of the file. Then I would have JS insert a new iFrame with that location. But I don't want to write a file on the server, so I can't do this.
new Ajax.Request(
'generateM3u.php',
onSuccess: function(transport) {
$$('body').first().appendChild(
new Element(
'iframe', {
src: transport.responseText
}
)
);
}
);
You should take a look at http://php.net/manual/en/function.header.php from the PHP manual. There are a lot of user contributions at the bottom of the page regarding forcing the browser to show a download prompt rather than printing to screen.
Here is one from that page (By phpnet at holodyn dot com 31-Jan-2011 09:01) which I have edited slightly. I think it answers both questions A and B. Just send the textbox's contents to the PHP file through an iframe, allow it to format the text appropriately and send it back to the browser with the following headers.
$contents = '<playlist>etc....</playlist>';
header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private", false); // required for certain browsers
header("Content-Type: audio/x-mpegurl");
header("Content-Disposition: attachment; filename=\"playlist.m3u\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . strlen($contents));
ob_clean();
flush();
echo $contents;
Edit: If what you want is an all Javascript solution, then I personally don't know, and after a little google-ing, it looks like others don't either. Most seem to solve this with an invisible iframe that directs to a server-side file.
Edit 2: I've changed the content type so that it matches the m3u file type.
How about creating a form on your parent DOM, and post it to the IFRAME/pop-up that you created?
The POST action URL will be your generateMu3.php
To answer your questions,
A & B) I assume so... as long as generateM3u.php sets the correct MIMEType for the .m3u file...
I'm not familiar with syntax in PHP, but in both Java & .NET, you can set the response's MIMEType in the header to, say, a Word document, and the browser will read the header, and if it's a file that is "Save-able", it'll prompt the client to save the page as a file.
If I read this correctly there's a machine creating the .m3u files. In that case, perhaps just write the files to a temporary directory, /tmp on unix machines andC:\Windows\Temp on Windows machines. Those files are cleared on boot, which should allow you to handle B) without all the A).
I'm using Apache's mod_rewrite to route requests for JPG files to a directory outside my web root.
It generally has been fine, but there are a few images that do not display. I then realized that when I use PHP's get_headers() function on my image URLs, they are all returning
Content-Type: text/html; charset=UTF-8 instead of the proper image/jpeg header types.
I have tried explicitly setting the Content-Type: image/jpeg header and still, none of my images return the correct headers - although most do display correctly, but I'm not sure why.
How can I assure a JPG file is sent with the correct header when redirecting via mod_rewrite?
This is what you could do. Create a PHP file that will get the right file and passes it through
<?php
$sImage = 'imagename.jpg';
header("Content-Type: image/jpeg");
header("Content-Length: " .(string)(filesize($sImage)) );
echo file_get_contents($sImage);
or
<?php
$sImage = 'imagename.jpg';
$rFP = fopen($sImage, 'rb');
header("Content-Type: image/jpeg");
header("Content-Length: " .(string)(filesize($sImage)) );
fpassthru($rFP);
exit;
or in your Apache vhost config or .htaccess file
RewriteRule … … [T=image/jpeg]
You can also set the Content-Type header field with mod_rewrite with the T flag:
RewriteRule … … [T=image/jpeg]
How about image which is not.jpg. Like .gif, ...
You'll need to use mime_content_type() (which is deprecated) or the fileinfo extension to determine which content-type to send.
Edit: I don't recommend this, but if you are working with a specific subset of file extensions, you could also create a small dictionary array of content-types and use the file extension to determine which one to send.