Issues with downloading files

Report · Mar 10, 2011

HI

I am quite new to all the web development stuff.

I have found these forums very useful, so now i am hoping you guys/girls may be able to help me.

I have created a document storage area within my site, the documents are stored in a database (BLOB format) and all works fine, i can upload and store documents with no problems, but the issue is around the download.

Although it works, i am having problems protecting it.

the download script works by accessing the database based on a document index, the page that contains the document list and indexes is protected, using the restrict access to page server behaviour, it calls the download script using an index variable.

but.. the download script is not protected, when i try to add the same server behaviour the download fails, IE says its trying to downlaod teh script, and that the site can not be found.

without the behaviour if someone knew the name of the php script they could just add the index variable and number and they could download any document

below is the download code, which works fine, i am assuming its because IE tries to start a second session to download the file, so the session variables that the server behaviour uses are not set...

Any suggestions

Thanks

<?php require_once('Connections/connTracker.php'); ?>
<?php
// if id is set then get the file with the id from database

if(isset($_GET['docindex']))
           {$id    = $_GET['docindex'];
           $query = "SELECT document_name, document_type, document_size, document_content " .
           "FROM tracker_documents WHERE document_index = ".$id;
           $result = mysql_query($query) or die('Error, query failed');
           list($name, $type, $size, $content) = mysql_fetch_array($result);
           header("Content-length: $size");
           header("Content-type: $type");
           header("Content-Disposition: attachment; filename=$name");
           echo html_entity_decode ($content);}
exit;
?>

Report · Mar 10, 2011

I guess that a simple workaround will suffice:

// if both the URL variable 'id' and the Session Variable 'MM_user_id' are set, then get the file with the id from database, otherwise display a blank page

if (isset($_GET['docindex']) && isset($_SESSION['MM_user_id']))

In addition to this add...

if (!isset($_SESSION)) {

session_start();

}

...@ line one

Report · Mar 10, 2011

According to your unsanitized variable of URL parameter in your query anyone can enter an injection attack in URL parameter by entering the following URL

www.your-website.com/your_download_page.php?docindex=0'; DROP TABLE tracker_documents; --

By entering that URL a hacker can run a query from your script and dump your database table! They can continue to dump other tables in your database if so inclined. My advice is that you educate yourself on injection attacks.

Report · Mar 11, 2011

Gunter, thank you for your help, buit the server behaviour actually inserts this exact same code, for some reaon when i try to download, the bowser can not deal with it, remove the behaviour and its fine

The shocker

I am well aware of injection attacks...

this was not the sort of help i was looking for.

Report · Mar 11, 2011

I am quite new to all the web development stuff.

I am well aware of injection attacks...

Which is it, dude. Are you quite new or well aware? It's not all about you anyway. Other beginners looking for a download script that come across your post thinking they're obtaining a secure script should be advised that your script is most certainly unsecure.

Report · Mar 11, 2011

Sorry my bad i apologise.... i am not a complete novice to coding in general

but i am new to php and web code, i do know quite a lot about the injection attacks and other security issues from other articles etc.

this code .... and i agree and for all you other folks that think this is ok.... this script ....IS MOST DEFINATLY NOT SECURE...

The rest of my site is and it has been tested

this one script is causing me an issue, and i have been trying to make it secure... but when i use the restrict access to page server behaviour the browser seems to have an issue, its like it tried to download the actual script rather then the document.

it produces the following error (attached image)

remove the behaviour and it works fine, so i was thinking that when the script runs it opens a new session... and does not use the current variables.

if the behaviour works the person accessing the script would have to be logged in to download the file.

here is the code with the behaviour inserted.. i just cant figure out whats going on....

<?php
if (!isset($_SESSION)) {
session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;

// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
    // Parse the strings into arrays.
    $arrUsers = Explode(",", $strUsers);
    $arrGroups = Explode(",", $strGroups);
    if (in_array($UserName, $arrUsers)) {
      $isValid = true;
    }
    // Or, you may restrict access to only certain users based on their username.
    if (in_array($UserGroup, $arrGroups)) {
      $isValid = true;
    }
    if (($strUsers == "") && true) {
      $isValid = true;
    }
}
return $isValid;
}

$MM_restrictGoTo = "index.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)
$MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>
<?php require_once('Connections/connTracker.php'); ?>
<?php
// if id is set then get the file with the id from database

if(isset($_GET['docindex']))
           {$id    = $_GET['docindex'];
           $query = "SELECT document_name, document_type, document_size, document_content " .
           "FROM tracker_documents WHERE document_index = ".$id;
           $result = mysql_query($query) or die('Error, query failed');
           list($name, $type, $size, $content) = mysql_fetch_array($result);
           header("Content-length: $size");
           header("Content-type: $type");
           header("Content-Disposition: attachment; filename=$name");
           echo html_entity_decode ($content);}
exit;
?>

Report · Mar 11, 2011

Just stumbled across a probably helpful thread on the devarticles.com forum.

Report · Mar 12, 2011

Thanks Gunter, i also found and article that does indeed suggest that session variables get lost when doing this, i will post it and try the suggestion you have found when i am back in the office on Monday.

Report · Mar 14, 2011

I finally found a solution

In the following document http://php.net/manual/en/function.header.php, it states that if you are using an SSL then you need to include the following in Headers

header("Cache-Control: maxage=1"); //In seconds
header("Pragma: public");

This allows the document to be download only by an authorised user, if someone tries to use the php document download script (as the_shocker quite rightly pointed out) with an index without first being authorised they are directed to the logon page.

seems to be working fine, but i will do some further checks and post if i find any problems