Jump to content

Recommended Posts

I have often read to place upload directories(any directory with chmod 0777)
behind the www root(pulic_html in my case)

I understand the reasoning and would like my server to be as secure as possible but I also want to access the files uploaded via php for display. Is there something I am missing here? It seems uploaded files/directories are concidered safe when behind public_html because they are not accessible. Is there a method to still access these files from a browser?
Link to comment
https://forums.phpfreaks.com/topic/24066-security-access-files-behind-public_html/
Share on other sites

PHP can include files from above the web root just as it can below.  there is no difference, except that you need to specify how many directories to go up in the tree.  web users will not be able to access them, but PHP can serve them up from there.  as long as you code a PHP page to include the file you want, you can access it from the browser; you just can't access them directly.

any specific cases you're asking about?
You could set up a .htaccess file in the folder you wish to store these files. The .htaccess file can demand a password before giving you access to the folder.

[url=http://httpd.apache.org/docs/1.3/howto/htaccess.html#auth]http://httpd.apache.org/docs/1.3/howto/htaccess.html#auth[/url]
One specific case:

A form uploads an mp3 file say to a folder called music that is directly above public_html
then a php page plays the mp3 like

home/music/mp3
home/public_html/player.php

how do I access the mp3 file. Do I set an absolute path as variable some place?

I have tried with a basic html embed tag and file path as "../music/mp3" but this is not working. of course a URL will not work and I guess that is why the above path fails because it is a URL but how to access the mp3 with an absolute path for display?
while i've never used embed, for images you can source to a PHP file:

[code]<embed src="get_mp3.php?file=filename" />[/code]

get_mp3.php would probably look something like this:

[code]<?php

$file_location = '../music/'.$_GET['filename'];

// exit if the file doesn't exit
if (!is_file($file_location))
{
  exit;
}

// try to open and read the file, exit if it can't be opened
$handle = @fopen($file_location, 'r');
if ($handle !== FALSE)
{
  $contents = @fread($handle, filesize($file_location));
  fclose($handle);
}
else
{
  exit;
}

// spit out the file contents, provided they're not empty
if (!empty($contents))
{
  echo $contents;
}

?>[/code]

i can't tell you for sure whether this will work, but the analogous method for sourcing images above the root to a PHP file works.
well generally a malicious file could be accessed just like any other file because it is exactly that - a file.  however by using PHP to echo its contents you're less likely to cause the harm that would result from a user directly downloading and running the file, because you're controlling the circumstances under which the file's contents are being used.  here you're embedding the content, you could be using the content as an image source, etc.

that being said, a malicious file can always cause damage if it's been written properly and knows how it will be used, no matter where it is.  at least this way outside users cannot directly access it and you control how it is handled.
if a user is able to upload a PHP file, then your MP3's will only be one of your worries, so always important to filter ANYTHING that a user can send to your server (get/post/cookie/files).

what akitchen stated in his example will do the job nicely, however it just needs for you to send the correct header before echo'ing the contents. not sure what the MIME type is for MP3's (i think it has a few variations) but i always personally grab the MIME type from the $_FILES array when a user uploads the file and store it all in my database, and then:

[code]
<?php
header("Content-type: $mimetype");
echo $contents;
?>
[/code]

so in the event of a JPEG, it might be translated to: header("Content-type: image/jpeg")

it takes a bit of fiddling to get it working for all sorts, but it's definitely a much safer way than storing anything in your web root.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.