I am building a file storage application and below is the .php code used to process uploaded files. Problem #1: How do I allow this user to view the files that they upload?

Question

I am building a file storage application and below is the .php code used to process uploaded files.
Problem #1: How do I allow this user to view the files that they upload?

<?php

$name = $_FILES['file']['name'];

$tmp_name = $_FILES['file']['tmp_name'];

if (isset($name)) {
  if (!empty($name)) {

$location = 'uploads/';

if (move_uploaded_file($tmp_name, $location.$name)) {
    echo 'Uploaded!';
  } else {
    echo 'There was an error.';
  }

} else {
    echo 'Please choose a file.';
  }
}

?>

anonymous · Answer

Well, once the `move_uploaded_file(...)` function has operated the file has been move from the temporary folder to the destination. In your case the file is saved with its original name in the 'uploads' directory that is located within the same directory as the script. After the script has operated, the file is on your server just like any other file. In order for the user to be able to access it directly, your web-server (Apache for example) has to be configured to allow such an access. In the simple case that your script is within the root directory of your web-server (in Apache it's usually the www directory) then so will be the uploaded files, because they are saved to the 'uploads' directory at the same location as the script. Without special configurations it means that they are already accessible. If your script is accessible via `www.yoursite.com/upload_script.php` Then a file could be accessible via `www.yoursite.com/uploads/my_file.png` However, allowing users to upload files to your server is a potential risk and measures of caution should be taken. For example, without further protection it is possible for me to upload a php script of my own to your server, using your script, and then execute it by accessing it just like any other php script in your website. Such a script could delete files in your website, access the databases, replace files with ones I want and pretty much do anything you could do with your php files of your website. Therefore your web-server should be configured not to execute the uploaded files in any case and just send them back as-is to the user. For Apache you could do so using .htaccess file inside your uploads directory to set a special configuration for that directory and set inside configuration like: php_flag engine off ForceType application/octet-stream Header set Content-Disposition attachment The first line prevents the php engine from executing any files in the directory and the other two tell the browser that the file is supposed to be downloaded (instead of displayed which could happen for .html, .txt or picture files for example) I'd like to mention that managing uploads is not trivial and there are many security consideration to make. Also, the direct access to files means that they are accessible by all users, you cannot restrict it to specific users on your website for example. If you need more sophisticated management then direct access is not the solution and you need the access to be done via a special script that will manage the operation. Hope it helps

e.mccormick · Answer

@dumbsearch2 PHP question.

anonymous · Answer

yes,  currently the files are accessible by anyone.
how would i go about making them only accessible by a particular logged in user while they are logged in.

anonymous · Answer

In order to do that you have to block the direct access to the file and instead manage the access to the files through another script, say `download.php`. This script has to get some information about the file needed to be accessed, if you are familiar with GET parameters than that would be the best probably, which basically means that the user would access the page in the form of: ` http://www.yoursite.com/download.php?file=file_identifier_here ` And then in your script you'll have to get this file identifier using the `$_GET` super global and figure out which file on your server is to be delivered back the user. Now you have to get the data for this file. you can see that you're less restricted by the way you can stores the files now. You can store the data directly in a database if you wish. You can compress the data and so on. However, once you fetch the original data of the file, you have to send it back to the user which is basically done just like normal printing with `echo` statement. But you have to make sure to set the right headers for the HTTP response that will go back to the user, because you're not sending a webpage back, but a file that should be downloaded. You can set the headers using the `header(...)` function. For example you could use: ``` $file_name = ...; $file_content = ...; $file_size = ...; header('Content-Disposition: attachment; filename=' . urlencode($file_name)); header('Content-Type: application/octet-stream'); header('Content-Length: '. $file_size); echo $file_content; ```

anonymous · Answer

I should probably add that you can check inside the script if the user has the privileges to access the file. If not then you can simply not transfer the file back and echo an error message instead, like with normal webpages.