SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Zealot
    Join Date
    Oct 2009
    Posts
    134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    fopen/fpassthru most files won't open! but pdf and txt do... see for yourself!

    hi there, can someone please tell me what is the problem here:
    http://www.dharmonynow.com/filez/

    when a link to file is clicked by user, .htaccess shots control over to authorize.php:
    want to prevent other users from snooping in private folders.
    before I added the pass through authorize.php everything was working great.
    session stuff was removed for troubleshooting.

    ################ AUTHORIZE.PHP
    <?php
    // session_start();
    require_once $_SERVER['DOCUMENT_ROOT'] . '/require/connection.php';
    // require_once $_SERVER['DOCUMENT_ROOT'] . '/require/auth-session.php';

    //assign current member from session
    $current_couple = 377;

    // pull folder from url
    $mystring = $_SERVER['REQUEST_URI'];
    $findme = '/';
    $pos = strrpos($mystring, $findme);
    $path = substr("$mystring", 0, $pos);
    $folder = substr("$path", 16);

    // dissect path and file name just to troubleshoot
    $pathtofile = $_SERVER['DOCUMENT_ROOT'].$_SERVER['REQUEST_URI'];

    $path_details=pathinfo($pathtofile);
    $nameandext = $path_details['basename'];
    $justext = $path_details['extension'];
    $justname = $path_details['filename'];
    $mtype = mime_content_type($pathtofile); // correct results except for .doc and .xls
    /* echo "<p />";
    echo "folder in path matches current couple";
    echo "<br>";
    echo $pathtofile; // complete path with file and extention
    echo "<br>";
    echo $path_details['dirname']; // complete path to dir
    echo "<br>";
    echo $path_details['basename']; // file name & extention
    echo "<br>";
    echo $path_details['extension']; // file extention
    echo "<br>";
    echo $path_details['filename']; // file name
    echo "<br>";
    echo "mime type is: " . $mtype;
    echo "<br>";
    */

    if($current_couple == $folder){

    if(file_exists($_SERVER['DOCUMENT_ROOT'].$_SERVER['REQUEST_URI'])){

    // Open the file for reading
    $fp = fopen($_SERVER['DOCUMENT_ROOT'].$_SERVER['REQUEST_URI'], 'r');

    // Set mime type to header
    header('Content-type: '.mime_content_type($_SERVER['DOCUMENT_ROOT'].$_SERVER['REQUEST_URI']));

    // Send the contents of the file the browser
    fpassthru($fp);
    fclose($fp);

    }

    else {
    // File not found
    die('File not found'); }
    } // end of IF AUTHORIZED
    else {
    die('Access denied');}
    ?>
    ######################################## END

    mime content type results are more or less correct (doc and xls files id'ed as txt). but does spot jpg and gif correctly.
    no whitespace in code.
    files are not corrupt, they download just fine.
    pdf and txt files display fine.
    IS THIS A PROBLEM WITH HEADERS, OR CACHE STUFF, OR WHAT?

    I'm really lost here and in dire need of a point in the right direction PLEASE.

    with much thanks,

    mdh

  2. #2
    SitePoint Wizard gRoberts's Avatar
    Join Date
    Oct 2004
    Location
    Birtley, UK
    Posts
    2,439
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could try using `readfile` instead? This effectively outputs the file to the browser, but without having to use `fopen`. You would still need to set the content type first however.


  3. #3
    SitePoint Zealot
    Join Date
    Oct 2009
    Posts
    134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks Roberts!

    no diff... getting exact same behavior with readfile(). thinking the problem is somewhere before... something earlier... but what!!

    taking a BIG step back - is there a better way to secure these files??? the only reason I'm going through this hell is to keep people from snooping in other user's folders.

    for example:
    a user clicks one of their own files, it opens in new window - they notice URL bar reads http://domain.com/files/377/doc_name.doc
    so they get the bright idea and alter URL to http://domain.com/files/84/2011_taxes.pdf
    that could happen without my detour to authorize.php

    is there another way to protect a folder???


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •