lemmin

I would try using fopen, fread, and fwrite. The documentation on php.net doesn't state whether or not readfile() is binary safe or not. I know that you can use fopen in a binary safe mode by including "b" in your mode string.

You are using the GET method for the PID and requesting it from the POST variable array.You also have two forms with the same name. It probably isn't hurting anything, but the second one would cause problems if you tried to use any javascript with it. And you have an "action" property in a input tag, I am almost certain that does nothing. Good luck, hope that helps.

Disallowing directory browsing is done using server settings. Simply placing a default file in the directory would stop most people, but some browsers or software would probably still allow listings. The simplest way to stop refresh from adding another query would be to use post instead of get. Other than that, you can check stuff server side like whether it already exists or not. I think you might be able to use the server variable 'HTTP_REFERER' to make sure it came from the correct page. If the user can come form multiple places, instead of checking to make sure they came from a certain page, check to make sure they don't come from a url that includes the get values that input data.