Reputation: 505
How to make files ONLY downloadable, not readable by client
I'm working on a php script where users can upload any type of file they want, even php files.
All files are uploaded/moved in a specific folder ("uploads").
I don't want these files to be readable otherwise it can cause a major security bug as users can write any php code and take control of my server.
I want these files only to be downloadable by the user client (browser). Like Dropbox for example.
Upvotes: 0
Views: 133
Answers (1)
Reputation: 2292
you can deny acces to uploads/move, then force a redirect from all URLS under uploaded/moved to a PHP script
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^/uploads/move/(.*)$ /serve_file.php?filePath=$1 [L]
then send a force download header like so for example:
header("Content-Disposition: attachment; filename=\"" . basename($File) . "\"");
header("Content-Type: application/force-download");
header("Content-Length: " . filesize($filePath));
header("Connection: close");
readfile($filepath);
exit;
!!Make sure the $filePath is in uploads/move and not anywhere else or they could grab other files)!!
Thanks @Mark Baker for the optimisation, using readfile is a better way!
Upvotes: 1
Related Questions
- Use .htaccess to limit access to file downloads
- DENY direct download of file using php
- How can I allow only privledged users to download a pdf with php?
- How to prevent a file from being Directly Downloaded & Veiwed Via URL
- Prevent users from downloading files in a specific directory
- Htaccess file to protect files on the server
- How to protect php files and download file links
- Preventing a file being downloaded or accessed on a server
- protect files download in a folder on server &.htacess visible
- (apache) how to make folder content downloadable only? (treat all files as downloadable object ONLY)