Passing PHP Variables to different pages

PrChaos · 19 Feb 2012 at 16:00

Hey guys.

I'm currently working on an application integrated into Facebook allowing people to create files using a form for user input in which they can post the files to facebook and also download them.

At present, files can be created, downloaded and posted to facebook.

The next part I want to figure out is how to allow users that have clicked on the posted link to also download these files and not just the user who has created it.

The problem is, I know what needs to happen, but I dont know how to make it happen!

Here is the code I have to download files:

PHP:

$myFile = $_GET['file'];

if(!file_exists($myFile))
{
	die('Error: File does not exist');
}
else
{
	header("Content-Description: File Transfer");
	header("Content-Disposition: attachment; filename=$myFile");
	header("Content-type: text/plain");
	readfile($myFile);
}

And here is the code used to reference my created file:

PHP:

<input type="button" onclick="window.location='downloadFile.php?file=<?php echo $gameconfigid;?>' " name="downloadBtn" value="Download">

(gameconfigid being the var that needs to be passed to the created file page)

Does anyone understand what I'm trying to achieve and if so... Could they tell me what needs to happen?

Pho · 19 Feb 2012 at 16:17

Store it in the session.

PHP:

// On the page where you know what $gameconfigid is:
session_start();
$_SESSION['gameconfigid']=$gameconfigid;

// and on the page where you need to retrieve it:
session_start();
$gameconfigid = $_SESSION['gameconfigid'];

PrChaos · 19 Feb 2012 at 17:13

Hi Pho.

So do I simply embed that PHP code inside the javascript for the download button?

Thanks for the quick reply.

Pho · 19 Feb 2012 at 17:24

Actually I might have misread what you're trying to do, so session probably isn't the best way.

Users are able to upload files, and you want to then output a list of these uploaded files as links which people can click on?

PrChaos · 19 Feb 2012 at 17:34

Sorry I should be more clear.

A form allows a user to create a file to be written to. When it is created, it copies some existing content from a file already on the server and it will write the user's input to the end of the file. It then closes the file handler and gives them the option to download it and post it to their news feed on facebook.

From facebook, when someone clicks the posted link, it will display the file that was created in an iframe on the page. There is a cancel button which will redirect them to the main page but I need a download button that will reference the file displayed in the iframe... Ultimately meaning other people can download the file.

Thanks again,
PrChaos.

Pho · 19 Feb 2012 at 17:39

So when you've finished writing to the file, you presumably know the path of the new file. Are you then saving this in a database at all?

If not this is what you need to do, this will then associate a unique ID (1,2,3...n) to the filename of the file on the server.

PrChaos · 19 Feb 2012 at 17:43

I know the file path and it is inserted into a database upon creation with unique IDs.

It works perfectly on the page that is displayed after a form is submitted. I'm just not sure how to pass the gameconfigid variable to the other page to reference the generated file.

Is it possible to post links on this section of the form? I could show you what I'm trying to do.

Pho · 19 Feb 2012 at 17:51

The other page being Facebook?

When you post the URL to Facebook can't you include the ID there? E.g. the URL you send to their news feed is: http://example.com/download/5 (where 5 is the ID of the uploaded file). This then creates the link back to the ID you need to know.

Sure, post your link.

PrChaos · 19 Feb 2012 at 17:58

Ok this is just an example of a link that is posted to facebook when the user clicks 'Post to Facebook' from my app.

http://stuweb.cms.gre.ac.uk/~dg905/createdFile.php?id=134

Notice the cancel button takes them back to the homepage and the download button takes a user back to the choose page.

I need to be able to allow a user to download that file displayed in the iframe.

Any ideas?

PrChaos · 19 Feb 2012 at 18:23

I THINK I've got it to work... But I'm not certain. Will update in a few minutes.

Pho · 19 Feb 2012 at 18:27

By the way, secure your download logic! I can download any file I want off your server (that the webserver has access to, e.g. /etc/passwd or your database passwords presumably). The person who set-up that webserver should have probably blocked access to system files, mind.

Rather than linking to downloadFile.php?file=file.txt use the files ID number not the filename, then on your downloadFile.php page go off to the database to get the file location instead.

So using your current way of doing it (I wouldn't use JavaScript for this, but anyway):

PHP:

window.location='downloadFile.php?file=<?php echo urlencode($_GET["id"]); ?>'

id is retrieved from the URL and passed to downloadFile.php, which goes off and finds its details and streams it to the user.

PrChaos · 19 Feb 2012 at 18:37

I see. It was me that set up the server because I was having issues with permissions to create files so I'll change them up in a second.

I figured out how to do it and I've just tested it for different pages.

This is what I added

PHP:

<input type="button" onclick="window.location='downloadFile.php?file=<?php echo $row ['gameconfigid'];?>' " name="downloadBtn" value="Download">

PrChaos · 19 Feb 2012 at 18:49

Sorry just to clarify... If you're still reading this... What files are insecure? The only files I know that have permissions set to 777 are my game template files...

Pho · 19 Feb 2012 at 19:58

Ah, nice!

You're not checking that the requested file is in a list of allowable paths. Have a look at open_basedir to restrict it or just strip out any /, \ and . that is passed in as the download location, this will then only allow files to be downloaded from within the right directory.

What this means is that I can run for example:
downloadFile.php?file=/etc/passwd

and access the /etc/passwd file on your server, or I could use it to download the file that your serving me and view your source code.

Code:

<?php
     // 
     // db.private
     // This file holds the $username and $password variables etc
     // Read how to protect your password in db.private/db.inc
     //  
     $hostname = "*****.***.***.ac.uk";
     $databaseName = "***_*****";       // Change these values to your own database name
     $username = "*****";               // user id and password.
     $password = "********";
	 
	 $connect = mysql_connect($hostname, $username, $password) or die(mysql_error());
	 
	 mysql_select_db($databaseName) or die(mysql_error());
   ?>

Look familiar?

.

This is why you should only link to downloadFile.php via a database ID number, that way I can't download arbitrary files from your filesystem.

PrChaos · 19 Feb 2012 at 20:06

Ok thanks for the info! I'll get work to work on that.

Pho · 19 Feb 2012 at 20:29

Securing up your application is something you can write about in your writeup too I'm sure. Obviously it doesn't matter too much for a Uni project but those extra credit marks are always handy,