469,352 Members | 2,154 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,352 developers. It's quick & easy.

PHP-generated link to local file doesn't work when clicked on. Why?

I'm running an Apache server on my own computer (Windows XP Pro).

I wrote a simple PHP script (called test3.php) that I'm running by
putting the following URL in the address bar of the browser (Firefox)
....

http://localhost/test3.php

The script generates the following link using the echo statement ...

<a href="file:///C:/pictures/xyz.jpg"> Picture </a>

("C:/pictures/xyz.jpg", as you can guess by now, is an image file on
my harddrive, but it's not in the document root).

When I clicked on the link, nothing happened. However, if I
RIGHT-click on it and select "Copy link location" (which copies the
URL to the clipboard) and then paste the URL into the address bar of
the browser, the picture then displays correctly.

Why did it not work when I clicked on the link the first time, but it
only worked when I pasted the link to the address bar?

Is there some special notation/syntax that I need to use to get this
to work properly?

May 26 '06 #1
23 5077
wylbur37:
<a href="file:///C:/pictures/xyz.jpg"> Picture </a>


I think - could be wrong - that Firefox doesn't follow file links,
however they're specified, in resources requested by HTTP. It sits and
does nothing. Dunno what other browsers do.

--
Jock

May 26 '06 #2
John Dunlop wrote:
wylbur37:
<a href="file:///C:/pictures/xyz.jpg"> Picture </a>


I think - could be wrong - that Firefox doesn't follow file links,
however they're specified, in resources requested by HTTP. It sits and
does nothing. Dunno what other browsers do.


I have several webpages of HTML code, many of them containing links
to local files on my harddrive (just like the one show above),
and they work just fine when the webpage is opened explicitly
from the browser (and not passed through a local server).

May 26 '06 #3
John Dunlop said the following on 26/05/2006 16:02:
wylbur37:
<a href="file:///C:/pictures/xyz.jpg"> Picture </a>


I think - could be wrong - that Firefox doesn't follow file links,
however they're specified, in resources requested by HTTP. It sits and
does nothing. Dunno what other browsers do.


I'm not sure this makes any sense at all. By definition, a "file://"
link is not an "http://" link, and so doesn't involve HTTP.

As for why it doesn't work for the OP, though, I have no idea.

--
Oli
May 26 '06 #4

"John Dunlop" <us*********@john.dunlop.name> wrote in message
news:11**********************@u72g2000cwu.googlegr oups.com...
| wylbur37:
|
| > <a href="file:///C:/pictures/xyz.jpg"> Picture </a>
|
| I think - could be wrong - that Firefox doesn't follow file links,
| however they're specified, in resources requested by HTTP. It sits and
| does nothing. Dunno what other browsers do.

not sure about that. i'd try taking out the additional / after file before
thinking that were the case...

<a href="file://c:/picures/xyz.jpg">file system picture here if clicked</a>
May 26 '06 #5

"Oli Filth" <ca***@olifilth.co.uk> wrote in message
news:k2****************@newsfe4-gui.ntli.net...
| John Dunlop said the following on 26/05/2006 16:02:
| > wylbur37:
| >
| >> <a href="file:///C:/pictures/xyz.jpg"> Picture </a>
| >
| > I think - could be wrong - that Firefox doesn't follow file links,
| > however they're specified, in resources requested by HTTP. It sits and
| > does nothing. Dunno what other browsers do.
|
| I'm not sure this makes any sense at all. By definition, a "file://"
| link is not an "http://" link, and so doesn't involve HTTP.
|
| As for why it doesn't work for the OP, though, I have no idea.

actually oli, iirc the rfc for href is for a URI and not specifically a
URL...where the resource could be even something as non-url as a javascript
function. but i've been wrong before and my memory is not the best.

i think this doesn't work because of the additional / after file://
May 26 '06 #6
robert said the following on 26/05/2006 16:36:
"Oli Filth" <ca***@olifilth.co.uk> wrote in message
news:k2****************@newsfe4-gui.ntli.net...
| John Dunlop said the following on 26/05/2006 16:02:
| > wylbur37:
| >
| >> <a href="file:///C:/pictures/xyz.jpg"> Picture </a>
| >
| > I think - could be wrong - that Firefox doesn't follow file links,
| > however they're specified, in resources requested by HTTP. It sits and
| > does nothing. Dunno what other browsers do.
|
| I'm not sure this makes any sense at all. By definition, a "file://"
| link is not an "http://" link, and so doesn't involve HTTP.
|
| As for why it doesn't work for the OP, though, I have no idea.

actually oli, iirc the rfc for href is for a URI and not specifically a
URL...where the resource could be even something as non-url as a javascript
function.


Indeed, I'm aware of that ;) . However, I now realise that I've misread
John's post, so ignore what I said!
--
Oli
May 26 '06 #7

"Oli Filth" <ca***@olifilth.co.uk> wrote in message
news:In*************@newsfe3-win.ntli.net...
| robert said the following on 26/05/2006 16:36:
| > "Oli Filth" <ca***@olifilth.co.uk> wrote in message
| > news:k2****************@newsfe4-gui.ntli.net...
| > | John Dunlop said the following on 26/05/2006 16:02:
| > | > wylbur37:
| > | >
| > | >> <a href="file:///C:/pictures/xyz.jpg"> Picture </a>
| > | >
| > | > I think - could be wrong - that Firefox doesn't follow file links,
| > | > however they're specified, in resources requested by HTTP. It sits
and
| > | > does nothing. Dunno what other browsers do.
| > |
| > | I'm not sure this makes any sense at all. By definition, a "file://"
| > | link is not an "http://" link, and so doesn't involve HTTP.
| > |
| > | As for why it doesn't work for the OP, though, I have no idea.
| >
| > actually oli, iirc the rfc for href is for a URI and not specifically a
| > URL...where the resource could be even something as non-url as a
javascript
| > function.
|
| Indeed, I'm aware of that ;) . However, I now realise that I've misread
| John's post, so ignore what I said!

there's a wink in there, oli...i know you know your stuff many times over.
that was my gentle supposition more for the op and john dunlop.

cheers.
May 26 '06 #8
wylbur37 wrote:
I have several webpages of HTML code, many of them containing links
to local files on my harddrive (just like the one show above),
and they work just fine when the webpage is opened explicitly
from the browser (and not passed through a local server).


Well... wouldn't this lead you to think about the web server blocking
the access to those files? I bet C:\pictures is not part of the normal
web space for your server. Try a simple page such as:

<html>
<head></head>
<body>
<img src="C:/pictures/xyz.jpg">
</body>
</html>

What do your web server logs tell you?

-david-

May 26 '06 #9
wylbur37 wrote:
I'm running an Apache server on my own computer (Windows XP Pro).

I wrote a simple PHP script (called test3.php) that I'm running by
putting the following URL in the address bar of the browser (Firefox)

http://localhost/test3.php

The script generates the following link using the echo statement ...

<a href="file:///C:/pictures/xyz.jpg"> Picture </a>

("C:/pictures/xyz.jpg", as you can guess by now, is an image file on
my harddrive, but it's not in the document root).

When I clicked on the link, nothing happened. However, if I
RIGHT-click on it and select "Copy link location" (which copies the
URL to the clipboard) and then paste the URL into the address bar of
the browser, the picture then displays correctly.

Why did it not work when I clicked on the link the first time, but it
only worked when I pasted the link to the address bar?

Is there some special notation/syntax that I need to use to get this
to work properly?


I just tried running the same script while in Internet Explorer
and it works.

But when I run it in Mozilla 1.4 (suite) or Firefox 1.5,
I get the problem described above.

Usually it's the other way around (i.e., it doesn't work in Internet
Explorer
but works in Mozilla or Firefox).

It must be because of some setting in the browser.
I wonder what it could be.

May 26 '06 #10
| Usually it's the other way around (i.e., it doesn't work in Internet
| Explorer
| but works in Mozilla or Firefox).
|
| It must be because of some setting in the browser.
| I wonder what it could be.
hmmm...that, or the browser/os integration. it could be security permissions
on the dir/file compounded with the fact that i.e. probably uses the
credentials of the currently logged in user...where ff may not.

just a guess though.
May 26 '06 #11
robert wrote:

... i'd try taking out the additional / after file before
thinking that were the case...

<a href="file://c:/picures/xyz.jpg">file system picture here if clicked</a>


I removed one of the slashes from the echo statement,
but the interesting thing was that although the HTML that was
generated now shows a URL with only two slashes (as verified by
View SourceCode), when I hovered the mouse over the link, the status
bar (lower left corner of browser) shows it as having three slashes!
And when I did a Copy URL to clipboard, it had three slashes!

May 26 '06 #12

"wylbur37" <wy************@yahoo.com> wrote in message
news:11**********************@j33g2000cwa.googlegr oups.com...
| robert wrote:
| >
| > ... i'd try taking out the additional / after file before
| > thinking that were the case...
| >
| > <a href="file://c:/picures/xyz.jpg">file system picture here if
clicked</a>
|
| I removed one of the slashes from the echo statement,
| but the interesting thing was that although the HTML that was
| generated now shows a URL with only two slashes (as verified by
| View SourceCode), when I hovered the mouse over the link, the status
| bar (lower left corner of browser) shows it as having three slashes!
| And when I did a Copy URL to clipboard, it had three slashes!

aint that something. actually, i bet it doesn't happen in ie...which could
be an indication of why it's not working in ff. have you thought of trying
to leave out the 'file://' portion out altogether? try it with
c:/pictures/xyz.jpg ... i'm curious if that will fix it. could just be a bug
in ff. in which case, you can merrily report it and get your credit for
bettering the world! ;^)

cheers
May 26 '06 #13
In message <11**********************@i40g2000cwc.googlegroups .com>,
wylbur37 <wy************@yahoo.com> writes
I'm running an Apache server on my own computer (Windows XP Pro).

I wrote a simple PHP script (called test3.php) that I'm running by
putting the following URL in the address bar of the browser (Firefox)
...

http://localhost/test3.php

The script generates the following link using the echo statement ...

<a href="file:///C:/pictures/xyz.jpg"> Picture </a>

("C:/pictures/xyz.jpg", as you can guess by now, is an image file on
my harddrive, but it's not in the document root).

When I clicked on the link, nothing happened.


It's disabled for security reasons.

There's more information about this at:
<http://kb.mozillazine.org/Links_to_local_pages_don't_work>
--
Martin Jay
Phone/SMS: +44 7740 191877
Fax: +44 870 915 2124
May 26 '06 #14
In message <gf*************@fe06.lga>, robert
<ab@no.spam-alama-ding-dong> writes
"Oli Filth" <ca***@olifilth.co.uk> wrote in message
news:k2****************@newsfe4-gui.ntli.net...
| John Dunlop said the following on 26/05/2006 16:02:
| > wylbur37:
| >
| >> <a href="file:///C:/pictures/xyz.jpg"> Picture </a> i think this doesn't work because of the additional / after file://


Your thinking is wrong: file:/// is correct.
--
Martin Jay
Phone/SMS: +44 7740 191877
Fax: +44 870 915 2124
May 26 '06 #15
[This whole thread was off-topic from the start. Marked so now.]

robert:
actually oli, iirc the rfc for href is for a URI and not specifically a
URL...
Right, that's what the spec says.
where the resource could be even something as non-url as a javascript
function.
We're drifting here. Since javascript isn't a registered scheme
name, if you wanted to argue that you're still playing by the spec, the
first hurdle is to point to a specification for javascript URIs. Once
you've done that, ask why it hasn't been registered. :-)

[re: file:///C:/pictures/xyz.jpg ]
i think this doesn't work because of the additional / after file://


I don't think so, robert. The slash separates the hostname (here,
implicit) from the path part. Not including it might cause problems
with strict interpreters, but including it... doubt it.

http://www.ietf.org/rfc/rfc1738.txt

--
Jock

May 26 '06 #16
"Martin Jay" <ma****@spam-free.org.uk> wrote in message
news:Cp**************@onenet.org.uk...
| In message <gf*************@fe06.lga>, robert
| <ab@no.spam-alama-ding-dong> writes
| >"Oli Filth" <ca***@olifilth.co.uk> wrote in message
| >news:k2****************@newsfe4-gui.ntli.net...
| >| John Dunlop said the following on 26/05/2006 16:02:
| >| > wylbur37:
| >| >
| >| >> <a href="file:///C:/pictures/xyz.jpg"> Picture </a>
|
| >i think this doesn't work because of the additional / after file://
|
| Your thinking is wrong: file:/// is correct.

didn't say that WAS the reason it didn't work. you start with what looks
most obvious...and '///' isn't typical uri naming conventionality.

but you do what you can to try and "right" yourself.

lol
May 26 '06 #17

"John Dunlop" <us*********@john.dunlop.name> wrote in message
news:11*********************@j73g2000cwa.googlegro ups.com...
| [This whole thread was off-topic from the start. Marked so now.]
|
| robert:
|
| > actually oli, iirc the rfc for href is for a URI and not specifically a
| > URL...
|
| Right, that's what the spec says.
|
| > where the resource could be even something as non-url as a javascript
| > function.
|
| We're drifting here. Since javascript isn't a registered scheme
| name, if you wanted to argue that you're still playing by the spec, the
| first hurdle is to point to a specification for javascript URIs. Once
| you've done that, ask why it hasn't been registered. :-)
|
| [re: file:///C:/pictures/xyz.jpg ]
|
| > i think this doesn't work because of the additional / after file://
|
| I don't think so, robert. The slash separates the hostname (here,
| implicit) from the path part. Not including it might cause problems
| with strict interpreters, but including it... doubt it.
|
| http://www.ietf.org/rfc/rfc1738.txt
|

comments appreciated...just something to try.
May 26 '06 #18
Martin Jay wrote:
In message <11**********************@i40g2000cwc.googlegroups .com>,
wylbur37 <wy************@yahoo.com> writes
I'm running an Apache server on my own computer (Windows XP Pro).

I wrote a simple PHP script (called test3.php) that I'm running by
putting the following URL in the address bar of the browser (Firefox)
...

http://localhost/test3.php

The script generates the following link using the echo statement ...

<a href="file:///C:/pictures/xyz.jpg"> Picture </a>

("C:/pictures/xyz.jpg", as you can guess by now, is an image file on
my harddrive, but it's not in the document root).

When I clicked on the link, nothing happened.


It's disabled for security reasons.

There's more information about this at:
<http://kb.mozillazine.org/Links_to_local_pages_don't_work>

Yes. And that page contains the following instructions for disabling a
preference in Firefox.

"Type about:config <http://kb.mozillazine.org/about:config> into the
Location bar and hit Enter. Find the entry for *security.checkloaduri*
and change its value to *false* by double-clicking it. Then, restart
your browser."

This is a possible security risk, though, so another solution is to add
an alias to Apache config file.

In httpd.conf, I have added:
Alias /cdrive/ "c:/"

Then, in Php scripts, when I want to access a local file I use:
http://localhost/cdrive/............

or

/cdrive/......

--
*****************************
Chuck Anderson Boulder, CO
http://www.CycleTourist.com
Everyone's journey should be different,
so that we all are enriched
in new and endless ways
*****************************
May 26 '06 #19
Martin Jay wrote:
wylbur37 <wy************@yahoo.com> writes
I wrote a simple PHP script (called test3.php) that I'm running by
putting the following URL in the address bar of the browser (Firefox)
...
http://localhost/test3.php

The script generates the following link using the echo statement ...

<a href="file:///C:/pictures/xyz.jpg"> Picture </a>

("C:/pictures/xyz.jpg", as you can guess by now, is an image file on
my harddrive, but it's not in the document root).

When I clicked on the link, nothing happened.


It's disabled for security reasons.

There's more information about this at:
<http://kb.mozillazine.org/Links_to_local_pages_don't_work>


What's the use of Mozilla/Firefox refusing to honor links to local
files "for security reasons" when any website can still access
a user's files anyway by means of a PHP script?

May 31 '06 #20
In message <11**********************@c74g2000cwc.googlegroups .com>,
wylbur37 <wy************@yahoo.com> writes
Martin Jay wrote:
wylbur37 <wy************@yahoo.com> writes
>I wrote a simple PHP script (called test3.php) that I'm running by
>putting the following URL in the address bar of the browser (Firefox)
>...
> http://localhost/test3.php
>
>The script generates the following link using the echo statement ...
>
> <a href="file:///C:/pictures/xyz.jpg"> Picture </a>
>
>("C:/pictures/xyz.jpg", as you can guess by now, is an image file on
>my harddrive, but it's not in the document root).
>
>When I clicked on the link, nothing happened.


It's disabled for security reasons.

There's more information about this at:
<http://kb.mozillazine.org/Links_to_local_pages_don't_work>


What's the use of Mozilla/Firefox refusing to honor links to local
files "for security reasons" when any website can still access
a user's files anyway by means of a PHP script?


I don't understand what you mean. Can you give an example of a PHP
script, running on a server, being able to access files on a user's
(client) machine?
--
Martin Jay
Phone/SMS: +44 7740 191877
Fax: +44 870 915 2124
May 31 '06 #21
Martin Jay wrote:
In message <11**********************@c74g2000cwc.googlegroups .com>,
wylbur37 <wy************@yahoo.com> writes

What's the use of Mozilla/Firefox refusing to honor links to local
files "for security reasons" when any website can still access
a user's files anyway by means of a PHP script?


I don't understand what you mean. Can you give an example of a PHP
script, running on a server, being able to access files on a user's
(client) machine?


In my original posting, when I described running a PHP script called
test3.php on my localhost Apache server (where the server and the
client are on the same physical computer), I could also include code
that reads and writes to the c: drive, so I assumed that if that same
script were installed on a physically remote server, it would also be
able to read and write to the C: drive of my computer if I were to
visit the webpage with that PHP script.
But now I realize that if that were the case, the C: drive that would
be accessed would be the one on the *server's* computer and not *my*
computer. Is that correct?

By the way, the informative webpage mentioned
(http://kb.mozillazine.org/Links_to_local_pages_don't_work)
said that ...

For security purposes, Firefox and Mozilla Suite block links to
local files (and directories) from remote files. This includes
linking to files on your hard drive, on mapped network drives, and
accessible via UNC paths. This prevents a number of unpleasant
possibilities, including:

* Allowing sites to detect your operating system by checking
default installation paths
* Allowing sites to exploit system vulnerabilities (e.g.,
C:\con\con in Windows 95/98)
* Allowing sites to detect browser preferences or read sensitive
data

Could someone explain how the above three "unpleasant possibilities"
could actually happen?

Jun 1 '06 #22
In message <11**********************@j55g2000cwa.googlegroups .com>,
wylbur37 <wy************@yahoo.com> writes
Martin Jay wrote:
In message <11**********************@c74g2000cwc.googlegroups .com>,
wylbur37 <wy************@yahoo.com> writes
>
>What's the use of Mozilla/Firefox refusing to honor links to local
>files "for security reasons" when any website can still access
>a user's files anyway by means of a PHP script?
I don't understand what you mean. Can you give an example of a PHP
script, running on a server, being able to access files on a user's
(client) machine?

In my original posting, when I described running a PHP script called
test3.php on my localhost Apache server (where the server and the
client are on the same physical computer), I could also include code
that reads and writes to the c: drive, so I assumed that if that same
script were installed on a physically remote server, it would also be
able to read and write to the C: drive of my computer if I were to
visit the webpage with that PHP script.
But now I realize that if that were the case, the C: drive that would
be accessed would be the one on the *server's* computer and not *my*
computer. Is that correct?
Ah, yes. I think I understand now.

And yes, a PHP script accessing a file on the drive would look on the
server and not on the client's drive.
By the way, the informative webpage mentioned
(http://kb.mozillazine.org/Links_to_local_pages_don't_work)
said that ...

For security purposes, Firefox and Mozilla Suite block links to
local files (and directories) from remote files. This includes
linking to files on your hard drive, on mapped network drives, and
accessible via UNC paths. This prevents a number of unpleasant
possibilities, including:

* Allowing sites to detect your operating system by checking
default installation paths
* Allowing sites to exploit system vulnerabilities (e.g.,
C:\con\con in Windows 95/98)
* Allowing sites to detect browser preferences or read sensitive
data

Could someone explain how the above three "unpleasant possibilities"
could actually happen?


I'm not a security expert, so I'll leave this for someone with more
knowledge about the matter to provide details. There is some
information about C:\con\con at
<http://everything2.com/index.pl?node_id=83247>. Or you might get an
explanation in one of the security newsgroups.
--
Martin Jay
Phone/SMS: +44 7740 191877
Fax: +44 870 915 2124
Jun 2 '06 #23

wylbur37 wrote:
In my original posting, when I described running a PHP script called
test3.php on my localhost Apache server (where the server and the
client are on the same physical computer), I could also include code
that reads and writes to the c: drive, so I assumed that if that same
script were installed on a physically remote server, it would also be
able to read and write to the C: drive of my computer if I were to
visit the webpage with that PHP script.
/me cringes in horror. Allowing a remote server to arbitrarily
write data to a client's hard drive would be a security blunder of epic
proportions.
But now I realize that if that were the case, the C: drive that would
be accessed would be the one on the *server's* computer and not *my*
computer. Is that correct?
Actually, no, not with the method you were using for that link. If
I understand correctly, the file:// protocol tells the browser to look
on the local machine (e.g. the client's computer).
By the way, the informative webpage mentioned
(http://kb.mozillazine.org/Links_to_local_pages_don't_work)
said that ...

For security purposes, Firefox and Mozilla Suite block links to
local files (and directories) from remote files. This includes
linking to files on your hard drive, on mapped network drives, and
accessible via UNC paths. This prevents a number of unpleasant
possibilities, including:

* Allowing sites to detect your operating system by checking
default installation paths
* Allowing sites to exploit system vulnerabilities (e.g.,
C:\con\con in Windows 95/98)
* Allowing sites to detect browser preferences or read sensitive
data

Could someone explain how the above three "unpleasant possibilities"
could actually happen?


Well, for something harmless, imagine this...

<a href="file:///C:/WINDOWS/system32/calc.exe">
Download a really cool file!
</a>

If there was no security, bam... you just ran the Windows
Calculator on the client's machine. Now, thankfully that's not the case.
If you run that file strictly local (double-click in Explorer), both
Firefox and IE6 will ask if you want to download "calc.exe". Anything
else, including running it through a local web server, and neither
browser will do anything.

Ryan
Jun 11 '06 #24

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Franck | last post: by
6 posts views Thread by Casey Chambliss | last post: by
6 posts views Thread by Jeffrey Silverman | last post: by
2 posts views Thread by wicky | last post: by
3 posts views Thread by Tyrone Slothrop | last post: by
3 posts views Thread by Siong.Ong | last post: by
9 posts views Thread by art | last post: by
reply views Thread by suresh191 | last post: by
1 post views Thread by Marylou17 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.