Set Content-Type dynamically

Question

I have the following code, which i'm using to force download of files rather than opening in browser.

if(isset($_POST['file_name'])){
$player_file = $_POST['file_name'];
$accessKey = "REMOVED";
$secretKey = "REMOVED";
$bucket = $_POST['bucket'];
$fname = $_POST['fname'];

$zip_url = el_s3_getTemporaryZipLink($accessKey, $secretKey, $bucket, $fname);
$mp3_url = el_s3_getTemporaryMP3Link($accessKey, $secretKey, $bucket, $fname);    


header('Content-type: audio/mpeg3');
header('Content-Disposition: attachment; filename="themixtapesite_'.$player_file.'"');
readfile($mp3_url);
exit();
}

As you can see, i pass all the variables from a form. Then use that information to generate a unique Signed URL for the file stored on Amazon S3.

If the file is an MP3 i need it to use the $mp3_url and if it's a Zip file i need to use the $zip_url.

This has to be really simple, but i've been sat in front of this screen all day now i've got a complete mind blank!

Any help appreciated.

Answer 1

1. This code is one gigantic security hole. You've just opened the doors to your server for anyone willing to use it.
2. Use an array of mime types to determine a mime type out of extension (you'll need additional security checks though, as relaying solely on extension isn't a smart thing to do).
3. Use switch statement to determine which function to use. After switch you should have $url - just one variable storing the extension, not two different variables.