Page 1 of 1

Need code converted to work with PHP allow_url_include = off

Posted: Thu Jun 24, 2010 1:00 pm
by xanaftp
Hello. I'm trying to get a website to fully function, however I need a piece of PHP code to be converted so that it works with the allow_url_include being off. It needs to be off for another part of the website to work. Here is the code:

$code = $_GET["code"];
$fileaccess = $_GET["fileaccess"];
if (!isset($code)) { $code = ""; }
if (!isset($fileaccess)) { $fileaccess = "index.html"; }
include("http://mydomain.org/modules/Safe_Box/co ... fileaccess");

What happens is that part of the URL the user inserts looks like this: "?code=somecode&fileaccess=somefile.xxx" where code is a secret password the user has, and fileaccess is the name of the file to access.

Code is a name of a folder on the server, and inside that code is the file fileaccess. When no fileaccess value is supplied, the website assumes the user wants the index.html page inside that code folder.

I do realize this is not a completely safe method for securing files, but I have nothing private inside this system. This is simply like a "rewards system" where the user obtains a code and can download an mp3 or a picture of some sort.

Any help would greatly be appreciated. Thanks!

Re: Need code converted to work with PHP allow_url_include =

Posted: Thu Jun 24, 2010 1:23 pm
by requinix
1. Only use include with PHP files. Use readfile for the others.
2. If a file is hosted on the same server then use the filesystem path to it, not the web URL.

Code: Select all

if (empty($_GET["code"])) {
    // stop: no code
}

$code = $_GET["code"];
$fileaccess = (empty($_GET["fileaccess"]) ? "index.html" : $_GET["fileaccess"]);

$file = $_SERVER["DOCUMENT_ROOT"] . "/modules/Safe_Box/codes/" . basename($code) . "/" . basename($fileaccess);
if (!is_file($file)) {
    // stop: file does not exist
}

readfile($file);

Thanks for the help

Posted: Thu Jun 24, 2010 2:11 pm
by xanaftp
Thank you for the code! It works.

The only downfall is, this isn't a very big downfall but if it can be corrected please let me know. If, say there's an mp3 waiting for someone and someone inserts in the url "?code=somecode&fileaccess=some.mp3" , instead of getting the mp3 they get a bunch of random characters. This doesn't have to be corrected if it is hard to, because I can always direct them to http://mydomain.org/modules/safe_box/codes/(the code)/some.mp3 and that works fine. I was just trying to avoid having to use the full path to files, and instead use the PHP GET function to access files. But if that can't be done for files such as mp3s that's okay.

Again thanks for the code!

forgot to mention in case you are wondering why I use a php file for people to access files instead of just handing them the URL is because I change the encryption key every once and a while. The password given to the user is not the same as what goes under "code=". What is generated under "code=" changes depending on the password and the encryption key. This is to help prevent to some extent hot-linking of the files.

Re: Need code converted to work with PHP allow_url_include =

Posted: Thu Jun 24, 2010 2:30 pm
by ell0bo
The random characters is because you're returning a binary stream and not ascii code. The page is attempting to interpret the code, however the browser thinks it's an html page. You need to change the headers to say it's a file instead of xml so you get the download. Otherwise you can just do a save page as... whatever and you're good to go. That's how it was done years ago...

Re: Need code converted to work with PHP allow_url_include =

Posted: Thu Jun 24, 2010 9:51 pm
by John Cartwright
You want to include (at minimum) the following headers for force downloads.

Code: Select all

header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=".basename($file).";");
header("Content-Length: ".filesize($file));
See header() for more details