0

enter image description hereThe above two function not working in wordpress. I want to download file and i am running wordpress in xampp also i have tried it in another online server with wordpress framework still not working.

but this is working in another online server where i have not used wordpress framework.

Is there is problem with wordpress using the above two function?

(below code just take get request which is the path to the file to be downloaded from the server and after validating token the path is given from database)

<?php 
ini_set('display_errors', -1 );
require('wp-blog-header.php');
require('wp-config.php');
$token = ($_GET["token"]);
$platform = ($_GET["platform"]);
$resolution = ($_GET["resolution"]);
$assetName =($_GET["assetName"]);
$currentTime = date("ymdHi" , time());
if($wpdb->query("SELECT * FROM wp_token_table WHERE token='$token'")){
    $result = $wpdb->get_results("SELECT (path) FROM wp_path_table WHERE os='$platform' AND res = '$resolution' AND bundle_name= '$assetName'");
    if($result){
    $path = $result[0]->path;
    $fileName = basename($assetName);
    $filePath = $path;
        if(!empty($fileName) && file_exists($filePath)){
            header("Cache-Control: public");  
            header("Content-Description: File Transfer");
            header("Content-Type: application/zip");
            header("Content-Length:".filesize($filePath));
            header("Content-Disposition: attachment; filename=$fileName");
            header("Content-Transfer-Encoding: binary");   
            readfile($filePath);        
            exit;
        }

    }
}else echo "false";

?>
Aryaman Gupta
  • 616
  • 1
  • 8
  • 20
  • You cannot alter the headers after output, unfortianlly for you one of the first thing WordPress does is output the header part of the template. If you turn on display errors you'll probably see a warning for that. – ArtisticPhoenix Jun 29 '16 at 06:21
  • Your best bet is going to be, creating a php file completely outside of wordpress that you can link to by submitting the form into an Iframe. In this file you would output the headers and the content of the file. – ArtisticPhoenix Jun 29 '16 at 06:22
  • So what can i do for this @ArtisiticPhoenix but it is working in other online server. – Aryaman Gupta Jun 29 '16 at 06:24
  • Other online server without wordpress correct? – ArtisticPhoenix Jun 29 '16 at 06:25
  • You can deference this answer I posted. http://stackoverflow.com/questions/166221/how-can-i-upload-files-asynchronously/24422523#24422523 – ArtisticPhoenix Jun 29 '16 at 06:25
  • yes it is working in another server without wordpress . – Aryaman Gupta Jun 29 '16 at 06:26
  • So in the file the form submits to the "action" put the location of the php file that will download the file. In that php file, do not include anything from wordpress, this gives you essentially a separate environment that you wont have to worry about Wordpress outputting stuff in. And then in the target, you put the iframes ID, and the form will submit though the IFRAME, Make sense? – ArtisticPhoenix Jun 29 '16 at 06:27
  • I'll help you as best I can in an answer ( so I can post some code ), if you would do what I mention there we can see if my guess is correct. – ArtisticPhoenix Jun 29 '16 at 06:31

1 Answers1

1

first of all lets verify my assumption is correct. In the wordpress index.php file, right at the top add this ( obviously after the <?php tag though )

ini_set('display_errors', -1 );

Let me know what that says when you try to download the file.

SQL Injection would let me do this with your url

 $token="'; SELECT * FROM wp_token_table WHERE 1 LIMIT 1; --";

And then your query would be this

"SELECT * FROM wp_token_table WHERE token=''; SELECT * FROM wp_token_table WHERE 1 LIMIT 1; --'"

The -- is start of comment to discard the ending ' then i would essentially select the first entry from that table. Or worse.

It's very important to prevent that.

For the error, I would do this

 <?php
  echo "hello";
  /* -- rest of code */

And make sure the page works first. Once you know that you can rule out problems with the url, then uncomment bits of the code tell it breaks. That will show you where the error is. Unfortunately error reporting wont generally work if its on a page with a syntax error, because php cant even parse the page, so it cant run anything on it.

ArtisticPhoenix
  • 21,464
  • 2
  • 24
  • 38
  • in index.php or in the file where i have that header code which is check.php? – Aryaman Gupta Jun 29 '16 at 06:32
  • The index is better, but anywhere before you do the header call should work. This will show any notices or warnings from php. Which are usually hidden. – ArtisticPhoenix Jun 29 '16 at 06:33
  • it shows no warning from php. just says This site can’t be reached The webpage at http://localhost/wordpress/checktokenvalidity.php?token=wXn9nE9Ll4&platform=a&resolution=sd&assetName=number-bond might be temporarily down or it may have moved permanently to a new web address. ERR_INVALID_RESPONSE – Aryaman Gupta Jun 29 '16 at 06:54
  • you dont get this warning? `Warning: "Headers already sent" or "Cannot modify header information"` Can you put the code in the question that downloads the file. – ArtisticPhoenix Jun 29 '16 at 06:56
  • you can check now @ ArtisiticPhoenix – Aryaman Gupta Jun 29 '16 at 07:02
  • did you check for error log files in the directory this is running in. You may have an error in there. But i'd use prepared statements, as this is not secure for sql injection. https://developer.wordpress.org/reference/classes/wpdb/prepare/ – ArtisticPhoenix Jun 29 '16 at 07:10
  • I know , i will send encrypted request with SHA but for testing purpose i am doing like this for now. – Aryaman Gupta Jun 29 '16 at 07:28
  • encrypting wont prevent sql injection. For example I could drop your database tables with the right $_get vaiables. – ArtisticPhoenix Jun 29 '16 at 07:35
  • I will change that thank you, but what about the download thing what should i do? – Aryaman Gupta Jun 29 '16 at 08:19
  • Is there a way to use wordpress syntax or any plugin that you know to do the downloading thing?@ArtisiticPhoenix – Aryaman Gupta Jun 29 '16 at 08:57
  • I think what you have said before that i ll make another database in another server with that php file and the download the respective files, or I will not put that file in wordpress folder instead I make different folder and different database within that server and that will work fine in XAMPP as well as in other severs. thankyou @ArtisticPhoenix for helping me out. – Aryaman Gupta Jun 29 '16 at 09:25