I am using below code to display pdf file in HTML
<object data="data/file.pdf" type="application/pdf" width="300" height="200">
test.pdf
</object>
But In above code we have to specify path name and folder name so it is not so secure. Crawler can find this path, so using some algorithms(robot) it is very easy to download other file those are stored in that folder.
How to secure this, is there any option to prevent this from robots?.
You may do the following:
Password protect the page (with the server-side code).
Generate unique links like (/getpdf/some_random_string_or_md5_hash_of_random_string.pdf) for every PDF file (using server-side code) that will a) check for the current time and the validity of the random name generated (if it has expired or not) then b) will redirect to the source files (not really hiding the source because of the redirection) to be displayed or stream the PDF file content (this is more secure though could seriously add the load to the server).
Finally add robots.txt to the folder and hope that crawlers will follow restrictions it sets.
If the other files in the directory are not to be downloaded, ever, they shouldn't be in a directory that is available to the http server. You can use directory permissions in your http server (eg., config directives and .htaccess in Apache) to control access to directories. Only configure access for directories you need to expose to the web, and only store files in them that you want the web to access.
If you want to avoid including a path in the HTML, you will need to write some dynamic code (eg, php, asp, or any number of server-side options). Your code on the server would need to handle the request for the file and return the file's content manually.
Related
I am building a web app and I would like to show PDF files to my users. My files are mainly stored as byte arrays in the database as they are generated in the backend. I am using the embed element and have found three ways to display a PDF:
Local file path in src attribute: Works, but I need to generate a file from the database byte array, which is not desirable as I have to manage routines to delete them once they are not needed anymore.
Online file path in src attribute: Not possible since my files may not be hosted anywhere but on the server. Also has the same issues as the previous method anyway.
Data as base64 string in src attribute: Current method, but I ran into a problem for larger files (>2MB). Edge and Chrome will not display a PDF when I covert a PDF of this size to a base64 string (no error but the docs reveal that there is a limit for the data in the src attribute). It works on Firefox but I cannot have my users be restricted to Firefox.
Is there any other way to transmit valid PDF data from a byte array out of the database without generating a file locally?
You have made the common mistake of thinking of URLs and file paths as the same thing; but a URL is just a string that's sent to the server, and some content is sent back. Just as you wouldn't save an HTML file to disk for every dynamic page on the site, you don't have to write to the file system to display a dynamic PDF.
So the solution to this is to have a script on your server that takes the identifier of a PDF in your system, maybe does some access checking, and outputs it to the browser.
For example, if you were using PHP, you might write the HTML with <embed src="/loadpdf.php?id=42"> and then in loadpdf.php would write something like this:
$pdfContent = load_pdf_from_database((int)$_GET['id']);
header('Content-Type: application/pdf');
echo $pdfContent;
Loading /loadpdf.php?id=42 directly in the browser would then render the PDF just the same as if it was a "real" file, and embedding it should work the same way too.
I am wondering if I can have a webpage where I can tell it to grab my file and put it in a directory, such as: "http://example.ex/folder". Meaning the file I provided is put into the "folder" folder.
Overall process:
Button says: "Import file"
I select a file, and my file is "text.txt"
It takes my file "text.txt" and adds it to the local system/directory of the website.
You can do this using JQuery File Upload and then adding a backend service that captures the file and saves it.
For example, here is a repository that has a basic Python (Flask) server integrated with JQuery File Upload that will take an uploaded file and place it on the server:
https://github.com/ngoduykhanh/flask-file-uploader
I'd put the rest of the code here, but it is a lot - and requires HTML, JavaScript and a back-end language (like Python).
Here is the documentation on JQuery File Upload: https://github.com/blueimp/jQuery-File-Upload
As a word of caution, DO NOT TRUST ANYTHING UPLOADED TO YOUR SERVER. Meaning, do not put it out on the open internet without some sort of authentication or checks in place to make sure only files you intend are uploaded. Otherwise, people will find it and upload scripts turning your device into a Bitcoin miner, spam relay, or bot host.
Instead of doing it this way, why not use SFTP to upload it to your server to host? At least that way you can lock down access.
I'm working on a web-based Flash application for a client which loads an external file from the same directory it is located in on the server. I use a URLRequest to load the file:
loader.load(new URLRequest("Config.xml));
Right now the Config.xml file uses chmod 644, which gives it public read access. However, the client would like to protect the configuration file so that it can't be downloaded by third-parties.
I'm thinking that it won't be possible to hide the file by removing public read permission (chmod 640) because then the Flash document, which is executed client-side, will be unable to read it. My tests seem to confirm this. Is there any way for a Flash app on the web to read a file from the server without exposing it to the public?
As others have already said, you can't do this. For the SWF to be able to load the file from the client-side it must be public.
A possible solution that might be good enough for your client is to embed the XML file contents in your HTML on the server side, for example as FlashVars or JavaScript output, then the SWF does not need to load the XML file directly and you don't need to make the file public.
For example:
Server-side PHP:
<?php
$xml = file_get_contents("Config.XML");
$encodedXml = rawurlencode($xml);
?>
<object type="application/x-shockwave-flash" data="my-flash.swf" width="550" height="400">
<param name="movie" value="my-flash.swf" />
<param name="FlashVars" value="config=<? echo $encodedXml ?>"/>
</object>
Client-side AS3:
var xml:XML = XML(stage.loaderInfo.parameters.config);
Of course someone could look at your HTML source and decode the XML themself, but any way you get the XML content into your SWF will expose that possibility, to varying levels of difficulty. You could make the encoding more obfuscated (url encoding is easy to spot) or encrypted to make it harder to find.
No. Flash is using a regular HTTP request to load the config file, so of course it can't get the file if it's not publicly-accessible.
What you could do is require authentication for the config file and include credentials in your URLRequest declaration. However, this still suffers from the weakness of someone sniffing the traffic to discover the authentication, and then running that request again with another tool.
Ultimately, you can't have it both ways: Either your config is accessible and insecure, or it's secure but unusable.
The short answer :
No, you can not do that.
The long answer :
No, you can not do that because, as you already know, Flash Player is a client-side technology, so it's exactly the same as a browser, and any file loaded by your SWF is accessible and visible for absolutely any person who has access to that SWF file, also forget about files access permissions which didn't has any effect in this situation.
Note here that you can use some encryption system to encrypt the content of that file and your SWF will decrypt it, but the problem here, is that you have also to encrypt your SWF file which, to my knowledge, is not a very reliable technique because SWF decompilers are really very efficient nowadays ...
...
Hope that can help.
A client side app (Flash or other) cannot read or load by itself any files from a server even from the server it's coming from. When it loads a public xml file, it makes a request for it and if the file has the right permission and the server knows how to serve that file, the request is granted and the file is served. This is very much so a server side operation so you can know see that when you say: "Flash runs client-side, so how would I take any advantage of a server-side solution?" this is a clear misunderstanding of how things work on client side and server side because if you do load a xml file then you do take advantage of a server side solution. Now this being said, how to do it when the file permission if turned of.
It is common to not allow access to files or directories on a server, in that case a client side cannot be granted access to those directly. So this is when you need to use a serve side technology to serve those files. Serve side technology like for example PHP can access all files on the server and make copy of them or change temporarily their permission etc ...
You can serve to your client side those forbidden files by simply writing a serve side script that would serve the file to you depending on some criteria you define (or none). The server side can change the permission allowing you to download it and then change it back, or it can copy the file and put it in a public accessible place and then delete it. You can also change the extension of your xml (to .whatever for example) and not provide a mimetype for it, even though the file is public the server won't be able to serve it, you can then make you serve side script change its extension for you on a per need basis. There's just hundreds of ways to do it including web services and even AMF and all that while the needed file is not publicly accessible. But yes you have to write server side scripts which is a VERY COMMON way to serve files to client side.
I Wonder whether I can use pdf Source[as hyperlink] as a file path in system related to script's running directory.
part of code is.
pdf
I am generating this HTML using CGI Scripting in C. and my pdfs are located in ../pdfs/sample.pdf related to my running directory of script. And by pdf source means I want to show the pdf sample.pdf upon clicking pdf as in above sample code.
A browser does not care or know how a resource is generated. You can generate it with C via CGI, you can have the server just hand over a static file. There is no difference as far as the browser is concerned, it made an HTTP request and received an HTTP response.
The rules for resolving a relative URI in an HTML document are the same. The browser compares it to the base URI (which is either specified in <base> or is the URI of the document containing the link).
If that resolves to a URI that the server will serve a PDF up for, then it will work.
Since URIs don't always map directly onto file systems, it isn't possible to say if this will work in your situation (as your question only talks about file systems). If this was on one of the servers that I have CGI programmes executing on then it wouldn't work — since I keep them in a cgi-bin that isn't a subdirectory of the webroot, so the pdfs wouldn't be accessible over HTTP at all. Your server may be configured differently.
I have seen a few examples with link to folder but i realy don't understant what it is or how to manipulate it or get it to set the specific html page within the folder.
My website is a basic one with only CSS and HTML
it is formatted as
[file]home.html // C:/Users/user/Desktop/mywebsite/home.html
[folder]Order // C:/Users/user/Desktop/mywebsite/order/
↳[file]ordersheet.html // C:/Users/user/Desktop/mywebsite/order/ordersheet.html
I want to try set the folder path C:/Users/user/Desktop/mywebsite/order/ as the file ordersheet.html C:/Users/user/Desktop/mywebsite/order/ordersheet.html how can this be done?
To set /order to ordersheet.html change the name of ordersheet.html to index.html
The index.html is the default file that the server will serve to the visitor when he visits that specific directory.
link text
link text = what you want it to say to the user
/Users/user/Desktop/mywebsite/order/ = directory path
Keep in mind that this will only work locally. If you have it up on a server, visitors don't have access to your full C:/ drive so you have to use relative links, i.e. just /order/
If I remebember correctly, you use something like this:
<a href="file:///C:/Users/user/Desktop/mywebsite/order/ordersheet.html>link to file on harddisk</a>
If you would want to have that anchor to a folder, you would just use this:
<a href="file:///C:/Users/user/Desktop/mywebsite/order/>link to a folder on harddisk</a>
Your browser is operating directly on your system's local filesystem, so you can't.
What you have been looking at is a function of a web server (I'll use Apache HTTPD for examples here).
A typical configuration of a web server would map the local part of the URI onto a directory on the local file system and just serve up the files there if they matched the local part of the URI.
If the local part resolves to a directory (rather than a file) then it would look for a file in that directory with a name that matched a list (typically including index.html) and serve up that file.
If none of the files on the list existed, then it would generate an HTML document containing links to all the files in the directory.
Since there is no web server involved when the browser is reading the local file system directly, there is no way to map the directory onto an index file, so you would need to explicitly include the filename in the URI (or switch to using a web server).