Files from directory

[hackalive]

Hi guys,

I am using a MySQL table to store if a user has access permisisons to a file.

 

The files are stored outside the webdirectory in drive F:\

 

So I have this code I have been playing around with in order to display the file I access and check permissions for:

<?php
$file = $_GET['file'];

$myfile = 'F:\files\/'.$file.'.jpg';

echo "<img src='$myfile' />";
?>

 

 

So a sample case would be say on index.php

<img src="http://somedomain.com/files?file=abcdefghijkl" />

and only if the current user had permissions to view that file would they see it.

 

Any help on how I can do this is greatly appreciated.

 

I do understand all my above code is probably totally wrong.

 

Cheers

[trq]

The F:\ drive will not be accessible because it is outside of the web servers root. You will need to use a php script to serve up the file.

 

There is an example of how to do so in our code snippet / repository board.

[hackalive]

Hello thorpe,

 

I did think my code wasnt totally right

 

Can you provide a link to the sample code?

[trq]

This is the script I was thinking of. Not exactly what you need, as this will force a download, but hopefully you'll get the idea.

 

The idea is to create a php file called image.php or whatever, have it do the database check and all that jazz, then if the user has access set the appropriate headers to make the image.php file serve an image.

 

All you would need to do then is place it in your src attribute. eg;

 

echo "<img src='image.php?f=somefile' />";

 

I'd post an example except the in laws are on there way.

[hackalive]

Thanks thorpe,

 

Ill have a play with it and see what I can get to work

[hackalive]

Here is my code:

 

test.php

<?php
    echo "<img src='filehandler.php?file=1' />";
?>

 

filehandler.php

<?php
    $file = $_GET['file'];
    // You would need a way to set the extension automatically.
    $file = 'F:\files\/'.$file.'.jpg';
    
    // I use this $content_type so that the handler can become multi-purpose.
    //You will need an auto way to adjust the final $file line above.
    $content_type = mime_content_type($file);

    header("Content-Type: $content_type");

    @readfile($file);
?>    

 

All seems to work, without permissions yet.

[trq]

There is nothing stopping anyone from using your script now to look at whatever images they like though.

 

You need to put the actual permissions checks in this file itself and maybe serve an "Unauthorised" image or something if your user doesn't have sufficient permissions.

[hackalive]

I am implementing that now.

I just wanted to get the header stuff to work first.