CODEWITHSUNDEEP
phpfiledownload
Eray
Eray

Reputation: 7128

Forcing to Download A File

I'm developing a web service. With this service, user's will upload their .php files, and service will remove UTF8 BOM characters from php file. And then, There will be a link like this :

<a href="uploads/as8df7/uploadedfile.php">Download Your File</a>

But when i click this link, browser browsing to this file. I don't want browse it, i want to download it. So , when user click this link, downloading will start.

Any ideas ?

(P.S. I don't want modify uploadedfile.php file, also i read 5 questions about this, but still i have problem.)

Upvotes: 0

Views: 399

Answers (3)

Manu Manjunath
Manu Manjunath

Reputation: 6421

Linking directly to the PHP file may end up executing it. One way is (like somebody above suggested) to rename it. Or, you can have a downloader.php which does below:

<?php
header('Cache-Control: no-cache, must-revalidate');
header('Expires: Mon, 01 Jan 2000 01:00:00 GMT'); // some date in past
header('Content-type: text/plain');
header('Content-Disposition: attachment; filename='.basename($filepath));
header('Content-Length: ' . filesize($filepath));
flush(); // or any other flush function/mechanism you use.
readfile($filepath);

and link it something like: <a href="./downloader.php?fileid=4ba213">Download</a>

This method will let you retain the .php extension. Also, if the PHP file is big and connection is slow, they progress-bar would be accurate (because you've flushed the content length upfront.

Upvotes: 0

Jim
Jim

Reputation: 73966

You need to supply this HTTP header:

Content-Disposition: attachment; filename=example.txt

You can usually specify this for entire directories at a time by configuring your web server appropriately. If you mention which web server you are using, somebody may be able to suggest how to do this.

Upvotes: 4

Geoff Adams
Geoff Adams

Reputation: 1129

The problem is that you're allowing people to upload PHP files on your server, then giving them a link to execute that PHP file. The web server is automatically treating those uploaded PHP files like any other PHP file, i.e. executing it, which opens you up to a massive security hole.

Whatever purpose your web service has, I'd suggest renaming the file on your server when it is uploaded (something 'random' is best, without an extension), then having a PHP script feed it back out with the appropriate headers set when it is requested.

The URL for such a script would look like:

http://www.example.com/get_uploaded_file.php?id=jgh3h8gjdj2389

It would link the value in id with the file on the server, and if you've saved the original filename somewhere (flat file, DB), you can serve it out using its original name, so long as you set the right HTTP headers.

Upvotes: 1

Related Questions