How to Prevent PHP Files from Being Downloaded? and What Are Some Ways Someone Can Download Them

  • Home
  • Languages
  • PHP
  • How to Prevent PHP Files from Being Downloaded? and What Are Some Ways Someone Can Download Them

How to prevent PHP files from being downloaded? And what are some ways someone can download them?

You can't really avoid files from being downloaded if your application is not secure. The following example allows a malicious user to view any file on your server:

<?php
readfile($_GET['file']);
?>

If you want to prevent Apache from exposing the source code if something is wrong with PHP, add this in your httpd.conf / .htaccess:

# In case there is no PHP, deny access to php files (for safety)
<IfModule !php5_module>
    <FilesMatch "\.(php|phtml)$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</IfModule>
# the following should be added if you want to parse .php and .phtml file as PHP
# .phps will add syntax highlighting to the file when requesting it with a browser
<IfModule php5_module>
    AddType text/html .php .phtml .phps
    AddHandler application/x-httpd-php .php .phtml
    AddHandler application/x-httpd-php-source .phps
</IfModule>

How to prevent users from downloading source code files using the PHP download option I have for downloading pdf files in my web application?

You've fallen fowl of a pretty bad design decision here that makes you vulnerable to file system traversal.

You might consider:

  1. Ensure the requested file ends in .pdf
  2. Ensure that the file being read ends in .pdf
  3. Drop any requests where the file parameter contains ..

Given Download.php doens't look to be ensuring requesters are authenticated at all, I would suggest maybe having your PDF documents live within a web accessible directory and just linking directly to them, instead of creating an attack vector that could compromise your server.

How do I prevent public downloads of files using php?

Put the files somewhere outside the public webroot directory, or configure your server to not serve the files. As long as your server will happily serve everything with a valid URL, there's nothing you can do with PHP to prevent that.

If your files are in the /public_html/ folder, take them out of that folder and place them in e.g. /secret_files/, so your directory structure looks something like this:

public_html/
    index.html
    admin/
        admin_index.php
secret_files/
    my_secret_file.txt

The webserver is only configured to serve files in the /public_html/ directory, so nobody will have access to directories outside (technical term above) it.

To still enable somebody to download those files, do as cletus suggests and use readfile to "manually serve" the files via a PHP script. PHP will still have access to these other parts of the file system, so you can use it as a gatekeeper.

Prevent PHP file from downloading

They're not downloading your PHP files, they just download the static HTML produced by your PHP script. The ability to download the PHP source is down to the server configuration.

How to secure PHP files from being downloaded?

As long as your server is setup properly it isn't going to happen.

A good step though is to put all of your actual passwords and whatnot in a config.php and including it. That way you can use htacces too block that file so that should your server ever start serving the raw pages that file won't be accessible anyway.

To clarify if you create a .htaccess file and place it in the same folder as the config.php with the below information that file will not be served, even if requested directly. Simply define your config stuff (db name, user name, password, hashes, etc) in this file and include_once it at the top of each page that needs it and you will be good to go.

<files config.php>
    order allow,deny
    deny from all
</files>

how would you protect a file from being downloaded by anyone not logged in on a Yii2 project?

You can provide acces to an specific action to specific roles or users with AccessControl Class .

You can do something like this:

class DownloadController extends Controller
{
    public function behaviors()
    {
        return [
            'access' => [
                'class' => AccessControl::className(),
                'rules' => [
                    [
                        'allow' => false,
                        'actions' => ['download'],
                        'roles' => ['?'],
                    ],
                ],
            ],
        ];
    }
    // ...
}

'?' Role are the guest users.


Related Topics

Required_If Laravel 5 Validation

Reaching 100% Code Coverage with PHPunit

MySQL Join Multiple Rows as Columns

PHP Convert Decimal into Fraction and Back

Laravel 5 Session Lifetime

Swift_Transportexception Connection Could Not Be Established with Host Smtp.Gmail.Com

Turn Plain Text Urls into Active Links Using PHP

PHP Email Validation Function

PHP "&" Operator

How to Send Multiple Attachment in Single Mail in PHP

Connection Reset by Peer: Mod_Fcgid: Error Reading Data from Fastcgi Server

Try Catch Cannot Work with Require_Once in PHP

How to Stop PHP Imagick Auto-Rotating Images Based on Exif 'Orientation' Data

MySQL Query In() Clause Slow on Indexed Column

Unescape or HTML Decode in Twig (PHP Templating)

Laravel Cannot Delete or Update a Parent Row: a Foreign Key Constraint Fails

Utf8_(En|De)Code Removed from PHP7

Secure User Image Upload Capabilities in PHP


Leave a reply



Submit