Menu
Community /Pin to ProfileBookmark
@NogDogJan 04.2018 — #Without going through it with a fine-toothed comb, what I suspect is the problem is the difference between absolute URL paths and absolute filesystem paths. When making an HTML link to "/foo/bar", that's an absolute path to the file "bar" in the "foo" directory which is directly beneath the [I]web root directory[/I] set up for that domain. On the other hand, within the PHP script, referencing "/foo/bar" with a file function is looking for file "bar" in directory "foo" which is directly beneath the root "/" directory on the logical disk. What I'm guessing you might want to do is search for it relative to the web document root:
However, there is a security concern there, with some nasty person asking for '/../../config.php' or even something worse. My preference would be that there be known directories where available files are located, and the user can then only specify which one, with some sort of validation check in place to make sure they picked an allowed location.
@PeterPan_321Jan 04.2018 — #[FONT=arial]
Well thanks! That change fixed the whole program, and indeed the log of the complete combo of $filepath and $fileName now looks like this ("I've doctored it to hide some of the tree in this public post...).[/FONT]
[FONT=courier new]
/home1/myMainAccountName/public_html/CurrentDomainName/pubfiles/Candle.h download Request at Thu, 04 Jan 2018 11:44:02 -0700
[FONT=arial black]
[FONT=arial]Interesting! Like you said, there are some security issues, and I DO indeed have only two directories on the site from which I allow downloads, so I can check for those I suppose with hidden vars in the PHP code, or maybe read in the allowed locations from a hidden file.
Even though this works, however, I'd love to read a bit more on this kind of thing. I seems back in the days where everything was "Flash" players, I had similar issues with weird directory requirements referencing between the player location, and the location of the media I wanted to play. Tore many handfuls of hair out for days over that one.
[/FONT][/FONT]
[/FONT]
php file downlaods… misundersood path issues?
I used this php file download code for a long time, to allow someone to click on a link and either view or download the file. But What I could never do is get it to work without the PHP code being in the same directory as the files I was accessing. Today I tried to put the PHP code in a directory called /scripts, access it from an html file back at the root “/”, and use it to get a file in /pubfiles. Unfortunately I just can’t get anything beyond a log output to actually access the file, as a full path.
html call basically looks like this…
[code=html]<a href=”/scripts/fetchAfile.php?file=Candle.h&filePath=/pubfiles/&view=0″>Get Candle.h</a>
So I’m passing 3 params to the php code. Please forgive some junk in the file, the result of my experimenting with stupid ideas to fix.
[CODE]<?php
$filePath = ‘/private/files/’; // default area
$fileName = ‘ ‘;
$view = ‘1’; // assumed. If 0, just download, else view
$type = ‘view’;
$ext = ‘pdf’; // default type
$logFile = ‘downloads.log’;
if(empty($_GET[‘file’])) {
notFound();
}
if (!empty($_GET[‘filePath’])) {
$filePath = $_GET[‘filePath’];
}
$view = $_GET[‘view’]; // to decide between download or browser display
$fileName = basename($_GET[‘file’]);
$fullViewPath = $filePath . $fileName;
// get file extender for application type, for browser
$ext = pathinfo($fileName, PATHINFO_EXTENSION);
// log request if we get here
if ($view == 0) $type = ‘download’;
$current = file_get_contents($logFile);
$current .= “rn” . $fullViewPath . ” ” .$type . ” Request at ” . date(DATE_RFC2822);
file_put_contents($logFile, $current);
if(!file_exists($fullViewPath) or !is_readable($fullViewPath)) {
notFound(); }
if ($view == ‘1’) { header(‘Location: ‘ . $fullViewPath); } // display in browser
else // just download
{
header(‘Content-Type: application/’ . $ext); // specify app with file extender
header(‘Content-Disposition: attachment; filename=”‘.basename($fileName).'”‘);
readfile($fullViewPath);
}
function notFound()
{
global $fullViewPath;
error_log(“rn ** file unreadable: ” . $fullViewPath);
header(‘Location: http://elfintechnologies.com/404.shtml’);
exit;
}
?>
So the result is, the php file is definitely found at scripts, because it does dump log and error files. now notic I’m forming a full path ($fullViewPath) by combining the passed file path ($goes to $filePath) with the file name file (goes to $filename) The logfile bears out that the path is correct…
/pubfiles/Candle.h download Request at Thu, 04 Jan 2018 10:12:24 -0700
So the $fullViewPath variable is definitly correct. Unfortunately file_exists() and is_readable() both fail…
[04-Jan-2018 10:41:43 America/Denver]
** file unreadable: /pubfiles/Candle.h
Well I don’t know why its not found or readable, and again, if I put the php in the same directory as the files to be downloaded, and adjuest the HTML link accordingly, everything goes smoothly. So obviously I’m missing something very basic about specifying directory locations. Thanks for any help
Sign in
to post a comment3 Comments(s) ↴
0
@NogDogJan 04.2018 — #Without going through it with a fine-toothed comb, what I suspect is the problem is the difference between absolute URL paths and absolute filesystem paths. When making an HTML link to "/foo/bar", that's an absolute path to the file "bar" in the "foo" directory which is directly beneath the [I]web root directory[/I] set up for that domain. On the other hand, within the PHP script, referencing "/foo/bar" with a file function is looking for file "bar" in directory "foo" which is directly beneath the root "/" directory on the logical disk. What I'm guessing you might want to do is search for it relative to the web document root:[code=php]
$filePath = $_SERVER['DOCUMENT_ROOT'].$_GET['filePath'];
[/code]However, there is a security concern there, with some nasty person asking for '/../../config.php' or even something worse. My preference would be that there be known directories where available files are located, and the user can then only specify which one, with some sort of validation check in place to make sure they picked an allowed location.
0
@PeterPan_321Jan 04.2018 — #Well thanks! That change fixed the whole program, and indeed the log of the complete combo of $filepath and $fileName now looks like this ("I've doctored it to hide some of the tree in this public post...).[/FONT]
[FONT=courier new]
/home1/myMainAccountName/public_html/CurrentDomainName/pubfiles/Candle.h download Request at Thu, 04 Jan 2018 11:44:02 -0700
[FONT=arial black]
[FONT=arial]Interesting! Like you said, there are some security issues, and I DO indeed have only two directories on the site from which I allow downloads, so I can check for those I suppose with hidden vars in the PHP code, or maybe read in the allowed locations from a hidden file.
Even though this works, however, I'd love to read a bit more on this kind of thing. I seems back in the days where everything was "Flash" players, I had similar issues with weird directory requirements referencing between the player location, and the location of the media I wanted to play. Tore many handfuls of hair out for days over that one.
[/FONT][/FONT]
[/FONT]