[RESOLVED] Passing Variables . . .

@misteralexanderOct 26.2008

I just made a post about downloading outside of a webroot, but the post was so confusing and not REALLY asking any questions, I sat back, thought it out and am now asking, what I feel, is a much clearer question.

Okay.

I have a page ~~[URL=”http://dave.wickedsmaat.com”]~~HERE[/URL]. On that page, you’ll see a simple table. That table is generated with a php script, found ~~[URL=”http://www.haroldbakker.com/php/listing.php”]~~HERE[/URL]. That script uses this line

[code=php]echo “<tr><td class=”” . usecolor() . “”><a href=”” . rawurlencode($filenames[$i]) . “”>”. $filenames[$i] . “</a></td></tr>[/code]

to make the generated file names into Hyperlinks.

What I’m wanting to do, if possible, is have it so when the hyperlink is clicked, the name of the file & it’s location ( /home/username/files/test.avi — NOT — /www/subdomain/test.avi ) are passed into the “$file” variable located inside my “Download.php” script, seen here:

[code=php] <?php $file = ‘NAME.EXTENTION’;

if (file_exists($file)) { header(‘Content-Description: File Transfer’); header(‘Content-Type: application/octet-stream’); header(‘Content-Disposition: attachment; filename=’.basename($file)); header(‘Content-Transfer-Encoding: binary’); header(‘Expires: 0’); header(‘Cache-Control: must-revalidate, post-check=0, pre-check=0’); header(‘Pragma: public’); header(‘Content-Length: ‘ . filesize($file)); ob_clean(); flush(); readfile($file); exit; } ?> [/code]

How do I do this??? ???

to post a comment

PHP

7 Comments(s) _↴

@scragarOct 26.2008 — #replace

[code=php]        echo "<tr><td class="" . usecolor() . ""><a href="" . rawurlencode($filenames[$i]) . "">". $filenames[$i] . "</a></td></tr>n";[/code]

with

[code=php]        echo '<tr><td class="' . usecolor() . '"><a href="Download.php?file=' . rawurlencode($filenames[$i]) . '">'. $filenames[$i] ."</a></td></tr>n";[/code]

Then change Download.php a little:

[code=php]<?php
 $file = preg_replace('/^.*//', '', $_GET['file']);
 [/code]

@misteralexanderauthorOct 27.2008 — #I thought that it was worth mentioning, incase I didn't convey it well in the first message. In the listing.php file, where it makes hyperlinks of the file names in the table, the files being listed as well as the "Download.php" script are being stored OUTSIDE the webroot, so I don't think they can REALLY be accessed via a hyperlink . . . can they?

I'm going to try what was suggested, as it seems to be exactly what I wanting to do, passing the location to the variable in the file. So, here goes nothing!

Stay posted & I'll let you know!?

@misteralexanderauthorOct 27.2008 — #As I had feared, nothing happened. I modified the code in the suggested way & also tried to mess with it in a few other ways, each time being left with either a PHP Error message or just "nothing happens".

Here's a few of the errors I got:

[CODE]
 http://dave.wickedsmaat.com/site/.index.php/.download.php?file=test.avi
 [/CODE]

which may seem fine on the outset, but the file "test.avi" is not in the "SITE" directory & niether is the ".download.php" file. So, I tried some modificatoins, and here's what I got:

[CODE]
 http://dave.wickedsmaat.com/site/.index.php/home/username/files/.download.php?file=test.avi
 [/CODE]

and also this:

[CODE]
 http://dave.wickedsmaat.com/site/.index.php/.download.php?file=/home/username/files/test.avi
 [/CODE]

The whole issue here (I think) being that my files are not stored in the WEBROOT, for security purposes. I didn't want to leave security up to a hackable .HTACCESS file, so I move the directory outside the webroot. So instead of the file "test.avi" being located in

[CODE]
 /www/dave/site/files/test.avi  |||OR||| /public_html/dave/site/files/test.avi
 [/CODE]

It located here, for security reasons:

[CODE]
 /home/username/files/test.avi
 [/CODE]

How do I pass THAT location to the $file variable of the download script, which by-the-by is sitting in the same directory as "test.avi".

Hopefully this cleared some things up.

Thanks for the help, because I AM LOST!

@scragarOct 27.2008 — #That's just as bad for your security, the best thing to do it pass only a file name, and append a directory later(in the PHP script which the user can't mess with).

[code=php]$file = '/home/username/files/' . preg_replace('/^.*//', '', $_GET['file']);
 [/code]

@misteralexanderauthorOct 27.2008 — #that worked great, it works just the way i wanted.

although, i'm currious

That's just as bad for your security
[/QUOTE]
Do you mean storing something outside of my WebRoot? Please explain, because I don't want to think I'm being more secure, when I'm just closing route "A" and opening up route "B" for an attacker.

@scragarOct 27.2008 — #What I mean is that if you include a full file path in a query string or form submission then the users can manipulate it, and while you don't think it's a big security hole consider this entry:

Download.php?file=/etc/shadow

which would download your /etc/shadow file, containing the hashes for the passwords used on your system, which would make it much easier for someone to brute force your passwords without you knowing.

To counter this you could establish a set of safe directories, only allowing content from those directories(PHP does this to it's source viewing script), but for an inexperienced user I would recommend against this choice, since getting it wrong could give an illusion of false security(where you think you are protected when you aren't).

Instead I implemented a slightly less sophisticated system, simply removing anything from the last / and before from the query, which will only grab file names(instead of paths) and thus protect your security better.

@misteralexanderauthorOct 27.2008 — #awesome. I really appreciate your help.

everything works great!?

Also in #PHP _↴

This file has been downloaded ## times?Confused with multidimensional arrays...please help!!Shopping Cart/Create an Account Tutorial Request

Success!

Help @misteralexander spread the word by sharing this article on Twitter...

Tweet This

[RESOLVED] Passing Variables . . .

7 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

[RESOLVED] Passing Variables . . .

7 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

7 Comments(s) _↴

Also in #PHP _↴