Not show the whole path/link, but still keep the ability to click it to download the file

I have a form on a web site to submit/upload recorded webcam video files. And then an email, with a file link (to the uploaded file) is sent. It all works successfully. When I access my email to see the arrived message, (via pc) and select the link (to the video file), it automatically downloads the file successfully. How can I not show the whole path/link, but still keep the ability to click it to download the file? Any help will be appreciated. Here’s the submit.php file:

<?php
if($_POST){
	$to = 'form@....com';
	$subject = 'NewForm';
	$name = $_POST['name'];
	$email = $_POST['email'];
	$message = $_POST['message'];
	$headers = $name;

	$message .= "Hello ".$_POST[name]." - Here is the link to your video: ".$_POST[videolink].". Created by ".$_POST['email']." ";
	header('Location: https://....com');
   exit;
}
?>

I would think that rather than posting the link, you could post a link to a short PHP script that contains your unique id for the video, and that short PHP script would then handle delivering the file to the user. You have the potential than to include other stuff such as a user id, which could govern whether the user is able to access that video.

1 Like

Thanks for your reply. However, I don’t know how I would “a short PHP script that contains your unique id for the video, and that short PHP script would then handle delivering the file to the user”. Would you like to provide an example?

As an example of you want here, rather than the the whole path or link, what would you want displayed?

Thanks for your reply. “rather than the the whole path or link” I’d like just some text like “Download File”, for example. They click the text and the file downloads.

Ok, so rather than just sending plain text in the e-mail body as you do now, you’ll have to build up and send a message with an html body and have the link in an <a href=''> tag as you would when you make a link in a normal web page.
I can’t see the part in your code that does the actual sending of the email, what are you using for that, the normal mail() function?

1 Like

This is the working code currently:


<?php

{
	$youremail = 'form@....com';

	$body = "NewForm:
	Name:  $_POST[name]
	E-Mail: $_POST[email]
	Message: $_POST[message]
	Video: $_POST[videolink]";

	if( $_POST['email'] && !preg_match( "/[\r\n]/", $_POST['email']) ) {
	  $headers = "From: $youremail";
	}

	mail($youremail, 'Contact Form', $body, $headers );

	$message .= "Hello ".$_POST[name]." - Here is the link to your video: ".$_POST[videolink].". Created by ".$_POST['email']."";

	// Message to sender
	mail($_POST[email], 'VIDFILE', $message, $headers );

}

if(empty($error))
{
header('Location: http://....com');
exit;
}
?>

Is there anyway to file the link, but display some text, like “Download File”?
Any additional help will be appreciated

The first thing you need to do format your message string as valid html. To do that you put <html> and <body> tags around the existing text.
Next, to make the link show up the way you want, you add a <a> tag, you put the url inside the tag’s ‘‘href’’ attribute, and the text you want to display between the opening and closing of the tag. This should give you something like this:

$message = "
     <html>
        <body>
            Hello ".$_POST[name]." - Here is the link to your video: <a href='".$_POST[videolink]."'>Download File</a>. Created by ".$_POST['email']."
        </body>
     </html>
";

That takes care of the content of the message, but there is one more thing you need to do for this to work correctly. You need to make sure e-mail clients know that the body in your e-mail is html and not just plain text as before. You do this by passing two additional e-mail headers to the mail() function.
So add these into your existing $header variable:

    $headers = "MIME-Version: 1.0" . "\r\n";
    $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
    if( $_POST['email'] && !preg_match( "/[\r\n]/", $_POST['email']) ) {
        $headers .= "From: $youremail" . "\r\n";
    }

Notice that this means that both your “Contact Form” and your “VIDFILE” e-mail use the same headers, so both will now be rendered as html e-mails. So you will either have to also format your “Contact Form” body as html OR you will have to build up two separate headers for the 2 different emails.

How about the one in your previous topic.

If security or permissions is a concern, this method can store the file below the root where it’s not publicly accessible, but the script can be made to retrieve it if the request meets your permissions criteria. Eg, things like user ID, file ID, encoded unique key code, can be in the URL.

Thanks for that html guidance. That worked successfully. Much appreciated. However, of course if you right-click to inspect “Download File” you can see the path. But, the path shows, for example, “https://…com/upload/WC-20181125-htqsygk257.mp4” (with the actual domain name omitted for this post). The file name is obviously the date, but then ten random numbers generated upon upload in . So, even if a devious person wanted to access the upload/ folder, he would have to know the file names that he is trying to access correct? So, my question is, are the random file names helping prevent devious-person from accessing other files in that folder?

The randomly generated filenames certainly helps, as long you also have Directory Listing switched off for the upload directory in your Apache configuration. You can check by typing https://…com/upload/ into a web browser, if you see a page with a list of the uploaded files, the world can see it too.

Even with Directory Listing disabled, the protection you get from randomly generated filenames only goes so far. If someone got hold of one of any specific filenames in whatever way, they will be able to download the files as and when they want to.

It really just depends on what level of security is acceptable in this specific project.

If you do require more protection, the next level would involve implementing some kind of authentication (login) system which would allow only authenticated users to download the files they themselves have uploaded. This is what @droopsnoot and @SamA74 and have been working toward in their posts above.

1 Like

Thanks for that informative reply. Greatly appreciated.
Yes, I have now switched off the directory. But, of course, the random file name is shown as the name of the downloaded file, and the path can be seen upon right-click > inspect. But, no other file names are now readily viewable, due to the directory switch off. :slight_smile:

However, I’m not clear on this part: “If someone got hold of one of any specific filenames in whatever way, they will be able to download the files as and when they want to”.
I don’t know how they could download any other files, now, without the whole file name. Any further enlightenment will be welcomed.

Sorry, that sentence didn’t come out right, let me explain what I was trying to say.

Let’s say a certain user uploads a file and it gets a random filename and they get sent the url, say https://…com/upload/WC-20181125-htqsygk257.mp4
Now lets say your user sends that url to their friends, or they post it on a forum somewhere. There is nothing to stop absolutely anyone who gets their hands on that url from downloading that specific file from your site.

That may or may not be what you want, but that’s what your current implementation will allow.

1 Like

Thanks for the enlightenment. Much appreciated.
What would be the simplest prevention? An expiring link?
I look forward to any simple idea/implementation solution

Sure, if it makes sense in your application. You could write a script that deletes all files older than a threshold date from your upload directory and set up a cron job to run it regularly.

Everything else I can think of would involve some kind of user identification and authentication, which would open a whole new can of worms.

Thanks again so much for your informative replies. After processing it all, it seems that providing a link is too much trouble. I think I will just send a “thanks for the submission” email. But I’d like to know how to have a no reply email address in place of this address:

<?php

{
	$youremail = 'form@....com';

,, ,, ,, ''

any help will be appreciated

I think this new question is drifting a bit far from the original topic again. Could you please post this as a new topic.

1 Like

Create a new email address on your domain called “no-reply@example.com”, configure it either as a black hole or have a mailbox that never gets read, and specify that instead of the genuine from-address.

As a user, sites that send emails from a “no-reply” address annoy me intensely. What if the user receives the email and has a question about it, what if someone has spoofed their credentials and they don’t know about it until the email arrives, and want to correct it?

2 Likes

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.