Jump to content

access files placed outside of the site root?

phppbo

By phppbo
in PHP Coding Help

 Share

Recommended Posts

phppbo Newbie

phppbo

Posted
Posted

I have some files saved outside the webroot and need to allow posts in WordPress to be able to access the files.

Following is the location of one of the files:

/home1/Mathone/TESTS/Test1/index1.html

I created a Download.php file with the following code and saved it to public_html of my site:

<?php
$path = '/home1/Mathone/TESTS/'. $_GET['filename'];
$mm_type="application/octet-stream";
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Type: " . $mm_type);
header("Content-Length: " .(string)(filesize($path)) );
header('Content-Disposition: attachment; filename="'.basename($path).'"');
header("Content-Transfer-Encoding: binary\n");
readfile($path); // outputs the content of the file
exit();
?>

Next, I created a post in wordpress with the following link:

<a href="www.mysite.com/download.php?filename=Test1/index1.html">download</a>

I am getting an error

This is somewhat embarrassing, isn’t it?

It seems we can’t find what you’re looking for. Perhaps searching can help.

Can anyone tell me what I am doing wrong? Thank you

Jacques1 Prolific Member

Jacques1

Posted
Posted

You let me download any file from your server? Cool, let's start with your passwords.

 

Guys, please think before you write code. We already have enough of Wordpress vulnerabilities, no need for a new one. If you don't know how to write proper code, then don't write any code at all. Use a plugin, hire somebody or whatever.

  • Like 1
phppbo Newbie

phppbo

Posted
  • Author
Posted

I forgot to mention that I am a newbie. I found this code on the internet somewhere and was trying to make it work. I guess, no more php coding for me. 

 

Since that is out of the way, one more related question then -  what I was trying to do with the above code was to prevent direct url access to my files. Based on what I have read on several forums, it is best to move the files outside of the root directory to prevent hotlinking and direct access. 

 

Do you have any recommendations on how to make the files available for paid members only on my site? I am planning on using either memberpress or membermouse as the membership plugin. 

 

I have looked at Wordpress Download Manager, WP Document Revisions, etc but they don't work for me as each of my courses is saved into multiple files in a data folder  and a .html file that refers to all the files in the data folder. 

 

Thanks. 

phppbo Newbie

phppbo

Posted
  • Author
Posted

Isn't the pretty much the same issue as mine?  Is there a way for me to do the same thing but without the security issues mentioned above by Jacques?

 

http://forums.phpfreaks.com/topic/286117-how-to-sucure-a-folder-but-still-accessable/?hl=%2Baccess+%2Bfile+%2Boutside+%2Bwebroot#entry1468540 

NotionCommotion Prolific Member

NotionCommotion

Posted
Posted

I guess, no more php coding for me. 

 

Keep on coding, but just don't write a banking app until you know more.

 

Typically, files not meant for public viewing are kept under the HTML root, or within it but protected using the webserver (apache, etc).  I don't see any reason to go the later path, and would put them under the root.

 

Regardless, you use your application to restrict access to the download function, and either use PHP's readfile() or Apache's (assuming you are using apache) X-Sendfile module to download them.

 

You need to be careful to prevent the user from accessing files which you do not wish them to.  For instance, look at this line.  What if I used the URL which made filename equal to ../../yourpasswords?  Not ideal :(

$path = '/home1/Mathone/TESTS/'. $_GET['filename'];
NotionCommotion Prolific Member

NotionCommotion

Posted
Posted

I disagree. Typically files not meant for public viewing would NOT be placed under the document root. That's how you keep them from being viewed with a browser and a hijacked form

 

Please elaborate.  When I said "under", I mean beneath and and not in the document root.

ginerjm Prolific Member

ginerjm

Posted
Posted

if www is your web root then all of those folders except / are "web-accessible"

 

Now - if you had this

 

/

/var/

/var/www/

/var/www/html/someAccessibleDirectory/

/var/www/someDirectoryUndertheRoot/

/var/php

/var/php/inc

/var/php/scripts

 

 

All of the /var/php folders are NOT web-accessible and that is where you would store things you described. Same with the /var folder obviously.

NotionCommotion Prolific Member

NotionCommotion

Posted
Posted

Yea, I know.  The problem was with my poor naming convention of under/over.  I use Redhat/Centos who's default is /var/www/html/ as the Apache root.  As such, I typically put files related to the website but not web accessible (my php script and private documents) in /var/www/, and either put a single index.php or symbolic link in /var/www/html/

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.