-3

i have an uploads folder on my website. What i want to do is restrict users from accessing like i dont want them to go to www.mysite.com/uploads/ and see the files in there and it should show forbidden, but they should be able to download via my website, for example www.mysite.com/downloads.php?id=1

If thats not possible, how can i atleast not show them the directory index on /uploads

How is it that file sharing websites does this?

An htaccess with

deny from all

stops php from accessing the file as well
Please tell me a solution if you would know, i googled and asked on irc a few days ago about this issue, its pretty confusing to me.

Marshall Mathews
  • 347
  • 5
  • 18
  • 3
    put the folder outside the web root, problem solved. –  Mar 28 '12 at 22:55
  • you mean outside /public_html/ ? – Marshall Mathews Mar 28 '12 at 22:57
  • yes. that's how most of us do it –  Mar 28 '12 at 22:59
  • 1
    Security through obscurity is never the answer. In other words, I hope downloads.php has some form of authorisation handling. Otherwise there's nothing to stop someone trying many combinations of `?id=...` – cmbuckley Mar 28 '12 at 23:01
  • +1 for @Dragon. Don't mess with chmod function. I had tried all methods for restricting files from outside. The best way is putting files behind the webroot. – jsonx Mar 28 '12 at 23:01

5 Answers5

2

If you want to hide your file url from users, its better to move upload folder above of your webroot directory. So nobody can access from browser. How you make download.php

<?php

 /*
    Step 1. Authorization check
    Step 2. get name or id of file that will download $_GET
    Step 3. check if its valid (security check)
    Step 4. check if that file exist in your upload directory
    Step 5. set header using header() function put content-type, attachment etc
    Step 6. readfile and output it
 */
 ?>
safarov
  • 7,793
  • 2
  • 36
  • 52
  • +1 but worth mentioning user authentication, otherwise it has no real value over proper Web server config. – cmbuckley Mar 28 '12 at 23:02
  • @cbuckley Thanks, For this situation yes, you're right. But when its usefull to give dynamic and temporary download link (as OP mentioned share hosting websites) and hiding real path to file. – safarov Mar 28 '12 at 23:06
  • the only way i know how to let users download file is to link them to the file, im not sure how to do step 5 which you mentioned, is there a guide you can link me? – Marshall Mathews Mar 28 '12 at 23:10
  • @MarshallMathews Have a look at the documentation for [readfile](http://php.net/readfile). – cmbuckley Mar 29 '12 at 19:43
0

Add this line in your .htaccess file

Options -Indexes
QuantumBlack
  • 1,549
  • 11
  • 27
0

Place an index.htm file in your uploads folder or place Options -Indexes in your .htaccess file

Paul
  • 1,068
  • 8
  • 8
0

Why not just make a place for downloadable things (mkdir publicuploads), but chmod 700 your uploads folder? Then they can download what you allow them to download...

corvid
  • 10,733
  • 11
  • 61
  • 130
  • I mean you basically just actively choose what is in the public uploads, and what people have access to, by making a separate directory for the public. – corvid Mar 28 '12 at 23:33
0

Using a .htaccess file with deny from all will stop people accessing that folder, It wont stop php from accessing it, but you could put your files one directory lower then your htdocs/www/public_html folder and use php to grab and serve thos files.

With passing a parameter eg: ?id=1 you would access the 1 with $_GET['id'] you would need to check if the file exists, add some http headers to force the download.

Heres a simple example you can work on:

<?php 
//your below webroot downloads folder
$path="/var/www/somehost.com/downloads/";

//An array created from globing the download directory or from a database source
$files=array('somefile.gif',
             'someotherFile.png');


//In my example the id is the key to the file pathe array so 0 would be somefile.gif and 1 would be the next.
if(isset($_GET['id'])){
    //Is it numeric?
    if(is_numeric($_GET['id']) && isset($files[$_GET['id']])){
        //Download the file, the download function will return error on fail, eg: not found or directory
        $status = download($path.$files[$_GET['id']]);
        //Spit out the error
        if(isset($status['error'])){
            die($status['error']);
        }
    }
}

function download($file,$chunk=1024){
    if (file_exists($file)) {
        if(is_dir($file)){return array('error'=>'Not allowed!');}
        //Set content headers to force download.
        header('Content-Description: File Transfer');
        header('Content-Type: application/octet-stream');
        header('Content-Disposition: attachment; filename="'.str_ireplace(' ','_',basename($file)).'"');
        header('Content-Transfer-Encoding: binary');
        header('Connection: Keep-Alive');
        header('Expires: 0');
        header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
        header('Pragma: public');
        //If download is larger the 2GB, alls not lost
        header('Content-Length: '.sprintf("%u", filesize($file)));
        //Clean the buffer
        ob_clean();
        //Open a handle to the file
        $handle = fopen($file, "rb");
        $chunksize=(sprintf("%u", filesize($file))/$chunk);

        set_time_limit(0);
        //Loop through the file 
        while (!feof($handle)) {
                    //Echo a piece of the file out
            echo fgets($handle, $chunksize);
            flush();
        }
        fclose($handle);
        die;
    }else{return array('error'=>'Not found!');}
    return;
}
?>

You would also need to check user permission on the file, but thats another question.

Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106