I'm trying to find a solution for forcing audio files to download on mobile using PHP.
I tried using the MIME type 'AddType audio/mpeg .mp3' in my .htaccess file to no effect. Direct downloads work fine on desktop but not on mobile - it always redirects to the default Wordpress player to download instead of just downloading after clicking the link.
I've searched various solutions and this is the closet I got Forcing to download a file using PHP
My files are hosted outside of my domain. This is the PHP file I'm using but it's not working.
$file_name = 'file.mp3';
$file_url = 'https://mcdn.podbean.com/mf/web/' . $file_name;
header('Content-Type: audio/mpeg');
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename="my-file.mp3");
readfile($file_url);
exit;
These files are hosted with another provider on another domain. Nothing you can do will force the direct download unless they were hosted on a platform like AWS where you can create your own bucket and link it to your domain. That's costly.
Podbean suggested I change "web" in the podcast URL to "download." I used the Find and Replace All Wordpress plugin and it automatically changed them all. Just make sure you search for whatever proceeds the word you want to change so you don't replace a common word like "web" elsewhere in your database.
Always backup your database before making mass changes.
With over 800 episodes it worked perfectly after clearing the cache.
Related
I have recently launched a website on GoDaddy hosting. I have keept some images and JavaScript files used in website, in separate folders. I want to prevent the users from browsing those images and files by simply appending the folder and file name in the website URL. For example
www.example.com/images/logo.png
If I understand correctly, you want to have html file with images, that shouldn't be accessible alone? If yes, then it cannot be done. You can watch for correct HTTP Referrer header, but it can be simply faked and it also makes it inaccessible for browsers that don't send referrer or having sending it forbidden for "privacy" reasons.
If you want hide files to be accessible only by server side scripts, ftp/scp, then you can try to use .htaccess (if GoDaddy runs on Apache) and correct configuration: https://httpd.apache.org/docs/2.2/howto/access.html
Another way could be hiding that files and creating one-shot token like this:
<img src=<?pseudocode GEN_TOKEN("file.jpg") ?> /> with another file serving these hidden files just for generated token, then deleting it from DB. Nevertheless, this will not protect anybody from downloading or accessing these files, if they want...
But, anyway, try to clarify your question better...
If you are keeping images/files in folder which is open to public, I guess you kept in that folder for purpose, you want public to access those images and files.
How public know images file name? Stop file content listing for your web site.
I am not aware which language you are using on web server, but in ASP.NET you may write module/ middle ware which can intercept in coming request and based on your logic (e.g. authentication and authorization) you can restrict access. All modern languages support this kind of functionality.
My website has some of its files temporarly saved in the web browser cache.
Concerning CSS and images files, no problem but for some files it's a real security issue.
Is there a way to prevent some files from :
- being downloaded from the cache ?
- being visible in the cache ?
or crypt them maybe
Thanks.
David
Well you can configure your webserver so it sends certain http headers for certain file types such as javascript. For example for Apache web server we can use mod_expires module.
Another option is to add a random string to the end of each file that should not be cached by the web browser. for example the file script_name.js can be server as script_name.js?somerandomstring
In my typo3temp folder I always find a file called javascript_a1cb3a5978.js. It seems that this is a JS by Typo3 to encrypt email adresses. Now in the code always the trojan is appended. I delete the file from the Typo3 cache and if the page is called in the browser the file is generated.
I tried to download the site and scan it with Security Essentials. Also I tried to search for eval but there are too much in the whole Typo3 folder. I didn't found something in the index.php and also I didn't found it in the htaccess. Permission should be OK for the site.
Do you have some ideas for me where this code is appended?
Check typo3conf/localconf.php and typo3conf/temp_* files and typo3conf/extTables.php.
Deactivate every extension and update your TYPO3. Check your TypoScript. I guess you should shut down your website and analyse how the attacker injected that code.
HI
I have the following (apparently simple) problem: I have to install a simple website, made by someone else, on a web hosting account. The site consists of lot and lot of HTML pages, no dynamic content, created some in MS Word and saved as html, some in frontpage, etc. A mixed bag.
I uploaded initially on a test account on my server (Win Server 2003) and it works ok.
Then I uploaded on the real web hosting (fedora / apache).
When I loaded the site in browser I see lot of odd craracters (instead of diacritics, used in html pages). Duacritics were saved as escape code, like & #350; for Ș (using codepage 1252).
The problem is, when I load the page from my own test server, the browser select automatically correct codepage (1252).
But when I load the site from public host, the same bowser loads the page using utf-8 encoding, rendering page with odd caracrets.
The test site on my server can be seen at http://radu-stanian.dnsalias.com and on public server at http://radustanian.scoli.edu.ro/
This happens no matter what browser I use (IE, ff or chrome)
What should I do to force browsers to load the pages in correct codepage?
Making changes to every page is not an option, because there are hundreds of pages, created by various peoples which could edit them further for update
Thank you
I did a quick google search and this is what I came up with:
http://www.w3.org/International/questions/qa-htaccess-charset
I've never messed with the .htaccess files with this scenario, but from what I read up it seems like you can force a certain character codepage mode based on file extension, which is what you need.
I'm not sure if it works, but hopefully it does :)
Most web servers allow you to edit HTTP headers. One of them can specify the exact codepage for a browser to use.
For example:
Content-Type: text/html; charset=ISO-8859-4
I have a folder in my web server used for the users to upload photos using an ASP page.
Is it safe enough to give IUSR write permissions to the folder? Must I secure something else?
I am afraid of hackers bypassing the ASP page and uploading content directly to the folder.
I'm using ASP classic and IIS6 on Windows 2003 Server. The upload is through HTTP, not FTP.
Edit: Changing the question for clarity and changing my answers as comments.
also, I would recommend not to let the users upload into a folder that's accessible from the web. Even the best MIME type detection may fail and you absolutely don't want users to upload, say, an executable disguised as a jpeg in a case where your MIME sniffing fails, but the one in IIS works correctly.
In the PHP world it's even worse, because an attacker could upload a malicious PHP script and later access it via the webserver.
Always, always store the uploaded files in a directory somewhere outside the document root and access them via some accessing-script which does additional sanitizing (and at least explicitly sets a image/whatever MIME type.
How will the user upload the photos? If you are writing an ASP page to accept the uploaded files then only the user that IIS runs as will need write permission to the folder, since IIS will be doing the file I/O. Your ASP page should check the file size and have some form of authentication to prevent hackers from filling your hard drive.
If you are setting up an FTP server or some other file transfer method, then the answer will be specific to the method you choose.
You'll have to grant write permissions, but you can check the file's mime type to ensure an image. You can use FSO as so:
set fs=Server.CreateObject("Scripting.FileSystemObject")
set f=fs.GetFile("upload.jpg")
'image mime types or image/jpeg or image/gif, so just check to see if "image" is instr
if instr(f.type, "image") = 0 then
f.delete
end if
set f=nothing
set fs=nothing
Also, most upload COM objects have a type property that you could check against before writing the file.
Your best bang for the buck would probably be to use an upload component (I've used ASPUpload) that allows you to upload/download files from a folder that isn't accessible from the website.
You'll get some authentication hooks and won't have to worry about someone casually browsing the folder and downloading the files (or uploading in your case), since the files are only available through the component.