Server Help :: View topic - [PHP] Download file from non-web directory

Server Help

Non-Subspace Related Coding - [PHP] Download file from non-web directory

BDwinsAlt - Sat Feb 24, 2007 1:47 am
Post subject: [PHP] Download file from non-web directory

Is there anyway to get a file to download from a different directory on the server.
I can make it read a text file from another directory. I want it to let people download from there as well, if they have the proper authentication (already set up).

Webpath = /var/www
DLpath = /var/downloads

I need someone in Webpath to be able to download from DLpath.
Any ideas?

Here is an example of the auth module I used, point out any useful tips if you want.

Code: Show/Hide

<?php

$valid_passwords = array ("user1" => "pass1", "user2" => "pass2");
$valid_users = array_keys($valid_passwords);

$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];

$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);

if (!$validated) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
die ("Authentication is required to gain access to this area. All attempts are logged.");
}

// If arrives here, is a valid user.
echo "Welcome $user.";
echo "You have full access to the server list.";
$lines = file('/var/gallery/servers.txt');
// Loop through our array, show HTML source as HTML source; and line numbers too.
foreach ($lines as $line_num => $line) {
$line_number = $line_num + 1;
echo "Server {$line_number} : " . htmlspecialchars($line) . "\n ";
}
?>

Cerium - Sat Feb 24, 2007 3:18 am
Post subject:

What you would want to do is manually send the response headers with the content of the file you want to send...

This is an example ripped directly from my php-based playlist builder, so you may want to change a few of the values based on the type of file you'll be sending...

Code: Show/Hide

header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
   header("Content-Description: File Transfer");
   header("Content-Type: application/vnd.ms-wpl");
   header("Content-Length: " . filesize($strFile));
   header("Content-Disposition: attachment; filename=\"playlist.wpl\"");

At this point, you just dump the file contents directly to the output stream (via print/echo/etc).

Code: Show/Hide

print(file_get_contents($strFile));

And viola. The user never sees the actual location of the file (and thus, does not need direct access to it) and you can authenticate the user prior to sending.

Mine GO BOOM - Sat Feb 24, 2007 6:07 am
Post subject:

Please note that the above method is generally a huge cause for security concern. People will attempt to send '..' and '/' into your script to try and load /etc/passwd or other critical files. Generally the best way to prevent this is to have a database so the user sends an ID of the file, which your script looks up and links to the correct file.

BDwinsAlt - Sat Feb 24, 2007 11:54 am
Post subject:

Oh ok. I see what you're saying. Thanks SO much. You guys rock.

EDIT: The only thing is after this is sent it won't display my echos and stuff. How might I fix that?

Solo Ace - Sat Feb 24, 2007 12:17 pm
Post subject:

You... do realise that after

Code: Show/Hide

header("Content-...: .../...");

you're not actually displaying content in the browser anymore, right?
Everything you echo after this will be interpreted by the browser as content of the file it's retrieving...
You should just

Code: Show/Hide

exit;

BDwinsAlt - Sat Feb 24, 2007 1:58 pm
Post subject:

Ohhhhh thanks solo. I've never really worked too much with headers.

Solo Ace - Sat Feb 24, 2007 2:14 pm
Post subject:

The headers tell the browser what kind of data it's supposed to expect. It's like "I'm going to send you a x-type file".
The browser expects everything after the full header to be the content of that file.
So, if you're going to echo stuff to the browser, the browser will interpret that as content of that file.
It's up to the browser if it wants to/can display the contents of the file.

Anonymous - Wed Jul 25, 2007 3:30 am
Post subject: changing password by user

how to allow to user to change his password ang login? is it possible in this code?

BDwinsAlt - Wed Jul 25, 2007 5:46 pm
Post subject:

I made the script use mysql for authentication. Google it and you can add it.

CypherJF - Wed Jul 25, 2007 7:17 pm
Post subject:

I'm disappointed, you used the echo quote, quote syntax:

Code: Show/Hide

echo "...";

You should use single quotes if there is no reason for back-replacement in the string.

Code: Show/Hide

echo '...';

It also makes your life easier for including HTML, which can allow for valid website markup.