CODEWITHSUNDEEP
php
mongmong seesee
mongmong seesee

Reputation: 1015

How to hide download file path from user using php?

When user want to download file from my web site, user have to click link like below

https://www.example.com/download.php?aaa=111&bbb=222

download.php

<?PHP
session_start();
include("connect.php");
$aaa = mysql_real_escape_string($_GET[aaa]);
$bbb = mysql_real_escape_string($_GET[bbb]);
if(($aaa = '111')&($bbb = '222'))  // this line is example for ask stackoverflow //
{
    $filePath_try_to_download = 'attachments_files/test.pdf';
    if(file_exists($filePath_try_to_download)) 
    {
        $fileSize = filesize($filePath_try_to_download);   
        $fileName = "test.pdf";     
        header("Cache-Control: private");
        header("Content-Type: application/stream");
        header("Content-Length: ".$fileSize);
        header("Content-Disposition: attachment; filename=".$fileName);
        // Output file.
        readfile ($filePath_try_to_download);                   
        exit();
    }
}
?>

I want to know when user download file from this link https://www.example.com/download.php?aaa=111&bbb=222 user can get my file path on server or not (attachments_files/test.pdf). If user can get my file path, how can i hide it's ? (file in this dir is very importance)

Upvotes: 2

Views: 3454

Answers (2)

mbo
mbo

Reputation: 164

No. The user cannot get the file path. He only get the content outputed by PHP script.

Your can do this and the user only get the "Hello" string. So it's your PHP script's role determining which contents the user can get.

<?php
   echo "Hello";
?>

Upvotes: 0

Hanky Panky
Hanky Panky

Reputation: 46900

Since I was posting comments from my Phone, they couldn't really explain much, so here goes your answer.

I want to know when user download file from this link https://www.example.com/download.php?aaa=111&bbb=222 user can get my file path on server or not (attachments_files/test.pdf).

No, Users can not see that file path which you are reading via readfile(). They will not be able to find out that file's location at all.

And if you want to eliminate any chances of people guessing the file path simply put those files outside of your web root folder and then readfile() them from there.

$filePath_try_to_download = 'attachments_files/test.pdf';

That path is only known to your PHP code, which is not visible to users hence they have no idea from where did you read the file they are downloading, just eliminate the guesswork chances though :)

And Obviously you have to secure access to this url https://www.example.com/download.php?aaa=111&bbb=222 otherwise what's the point!

Upvotes: 2

Related Questions