tags:

views:

55

answers:

2
+2  Q: 

PHP - Ignoring script files from a directory when navigating to them?

Hey there.

I'm currently working on a file uploading sript in PHP, but i'm kind of stuck. Users are allowed to upload files such as PHP and JS, but i don't want the scripts to run when a user is trying to download them. Is it possible to block that somehow using htaccess or something?

Thanks in advance.

A: 

You can change the file extension of the uploads, like

my-file.php.txt
my-file.js.txt

Assuming that .txt files don´t get processed by php on your server...

jeroen  2010-05-21 14:21:03
Aaaah, good idea. Is there any smart way to check if a file contains plain text? Like a .php or a .js file? Cause i wont need to rename all exstensions such as .txt or .jpg..
Nike  2010-05-21 14:23:11
I don´t know if there's a real reliable way, but you can easily see what extensions your web-server will process as php, so these extensions and for example .js should be enough.
jeroen  2010-05-21 14:35:16
Well that's not a good idea either, cause there are other scripts than PHP that can be run. So if a user uploads a JS script it will run. Another way would be to grab the uploaded file exstention and then compare it to a list of scriptfile-exstentions and if it match, add ".txt" to the filename? I am however having problems finding a list.
Nike  2010-05-21 14:44:37
No, it doesn´t matter what scripts can be run: What matters is what scripts your server will process before sending the output to the browser. For example a .js file will display in Firefox and trigger a download dialog in IE, just enter any url to a .js file on your server.
jeroen  2010-05-21 15:37:38
+1  A: 

You can write a wrapper php file that sends the file content to the browser. But first you have to make sure that your uploaded files are stored outside the web root so that no one can access them via browser, unintentionally or otherwise.

The wrapper php script can go something along these lines:

<?php
    $f = $_GET[ "f" ];
    if ( filename_is_ok( $f ) && is_file( "../some_folder_outside_www/$f" ) )
    {
        header( "Content-Type: text/plain" );
        header( "Content-Disposition: attachment; filename=$f" );
        header( "Content-Length: " . filesize( "../some_folder_outside_www/$f" ) );
        readfile( "../some_folder_outside_www/$f" );
    }
    else
    {
        header("HTTP/1.0 404 Not Found");             
        echo "File not found (or you're not supposed to view this file)";
    }
    function filename_is_ok( $f )
    {
        // You'll have to implement it yourself
        return false;
    }
    // example calls:
    // http://website.com/download.php?f=test.php
    // http://website.com/download.php?f=test.js
?>
Salman A  2010-05-21 14:53:06
Perfect!! I'll give it a shot.
Nike  2010-05-21 14:55:29
Why was this downvoted? It seems like a good idea to me!
Josh  2010-05-21 15:00:11
-1 because the script provided will allow any visitor to download any source file of your site by providing a simple URL (ie. f=../your_webroot_folder/index.php). You have to sanitize the input first (to prevent visitors from escaping out of the folder you specified). The idea behind the solution is ok, the implementation is insecure as hell...
wimvds  2010-05-21 15:01:38
What happens if a user uploads an image for example? Will that be viewed in plain text?
Nike  2010-05-21 15:02:13
Nvm the last comment. It works great!
Nike  2010-05-21 15:04:34
wimvds has a point though. God it feels like i'm spamming now!
Nike  2010-05-21 15:05:22
I'd solve the insecurity by creating a table that will contain at least an ID and the filename (either a full path or just the filename, depending on how you want to store the uploads). And pass the ID to the download script, that's about as safe as can be. You check first if the ID exists, if it does check if the file is still there and do a readfile, if the ID doesn't exist or the file is no longer there display an error message. But never ever put the script above online as-is!
wimvds  2010-05-21 15:13:36
I already implemented that. Works great, thanks! :)
Nike  2010-05-21 15:47:20
Why the downvote when I said "something along these lines"? The OP is supposed to add sensitization and permission checking.
Salman A  2010-05-22 05:32:08

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases