Jump to content

[SOLVED] Force Download....

spikypunker

By spikypunker
in PHP Coding Help

 Share

Recommended Posts

spikypunker Member

spikypunker

Posted
Posted

Hey guys, been researching this one and it seems to be quite contested, due to security risks?

 

Basically i want people to click a button and it downloads an MP3 rather than having to right-click save as. First i want to get the basic workings of it going, then will see how to make it more secure....

 

I've found a different way to do it than the Application Force-download method and it works if done like so to test....

 


<?php
$file = $_GET['file'];
$user = $_GET['user'];
header('Content-disposition: attachment; filename=Deserted.mp3');
header('Content-type: audio/mpeg');
readfile('netdog/music/Deserted.mp3');
?>

 

However if i try and get it to work using the Filename sent from the last page, it's doesnt convert the variable to the value, just displays the variable as the filename???

 

<?php
$file = $_GET['file'];
$user = $_GET['user'];
header('Content-disposition: attachment; filename=$file');
header('Content-type: audio/mpeg');
readfile('netdog/music/$file');
?>

 

This is strange but as i said, it brings up the SAVE AS or OPEN WITH box but the filename in there is $file so it's not converting it into the value!!!!

 

After i've got this working i will expand it so that it is more secure. But could someone explain the security risk? Apparantly it allows people to be able to download any file on our system?? But all the files are accessed throught the site anyway surly? But i guess they'd be able to see the PHP code in a doc thats normally converted to HTML in a browser?

Link to comment
https://forums.phpfreaks.com/topic/144597-solved-force-download/
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted

Variable interpolation (i.e. substituting the variable with its value in a string) only works for strings enclosed in double quotes. Strings enclosed in single quotes are returned verbatim. Check out the strings part of the language reference chapter in the manual.

spikypunker Member

spikypunker

Posted
  • Author
Posted

Thanks very much for helping me, again have learnt the reasons behind the help, cheers guys!

 

Concerning the validating, i have to make sure the file is an MP3? This way someone trying to hack will only be able to download the mp3s and not try and hack me by downloading the raw PHP files etc? Am i correct?

printf Newbie

printf

Posted
Posted

correct...

 

1. make sure the variable contains only a file name

2. make sure the file exists

 


<?php

$path = 'netdog/music/';

if ( isset ( $_GET['file'] ) )
{
if ( preg_match ( '/^[a-z0-9]{1,}+\.mp3+$/i', $_GET['file'] ) > 0 )
{
	if ( file_exists ( $path . $_GET['file'] ) )
	{
		header ( "Content-disposition: attachment; filename='" . $_GET['file'] . "'" );

		header ( 'Content-type: audio/mpeg' );

		readfile ( $path . $_GET['file'] );

		exit ();
	}
}
}

echo 'problem with the request, please try again';

?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.