Gamerz Posted October 16, 2009 Share Posted October 16, 2009 How do I make my direct download page secure? Any .htaccess trick? I want it so that the user can ONLY download through the specified folder, and nothing else. They can not access other files by doing this: ../../index.php or w/e <?php $filename = $_GET['file']; // required for IE, otherwise Content-disposition is ignored if(ini_get('zlib.output_compression')) ini_set('zlib.output_compression', 'Off'); // addition by Jorg Weske $file_extension = strtolower(substr(strrchr($filename,"."),1)); if( $filename == "" ) { echo "<html><title></title><body><center><h1>Error: You have not specified a file to download.</h1></body></html>"; exit; } elseif ( ! file_exists( $filename ) ) { echo "<html><title></title><body><center><h1>Error: The file you are trying to download does not exist. This may be because the file has been deleted.<br><br>Please reupload your file and try your download again.</body></html>"; exit; }; switch( $file_extension ) { case "pdf": $ctype="application/pdf"; break; case "exe": $ctype="application/octet-stream"; break; case "zip": $ctype="application/zip"; break; case "doc": $ctype="application/msword"; break; case "xls": $ctype="application/vnd.ms-excel"; break; case "ppt": $ctype="application/vnd.ms-powerpoint"; break; case "gif": $ctype="image/gif"; break; case "png": $ctype="image/png"; break; case "jpeg": case "jpg": $ctype="image/jpg"; break; default: $ctype="application/force-download"; } header("Pragma: public"); // required header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: private",false); // required for certain browsers header("Content-Type: $ctype"); // change, added quotes to allow spaces in filenames, by Rajkumar Singh header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" ); header("Content-Transfer-Encoding: binary"); header("Content-Length: ".filesize($filename)); readfile("$filename"); exit(); ?> Link to comment https://forums.phpfreaks.com/topic/177969-php-secure-direct-download-page/ Share on other sites More sharing options...
simshaun Posted October 16, 2009 Share Posted October 16, 2009 Use strpos and look for any forward slashes or fishy looking segments in the filename (../). Link to comment https://forums.phpfreaks.com/topic/177969-php-secure-direct-download-page/#findComment-938359 Share on other sites More sharing options...
Gamerz Posted October 16, 2009 Author Share Posted October 16, 2009 Is there anything else that I could make the code secure? Link to comment https://forums.phpfreaks.com/topic/177969-php-secure-direct-download-page/#findComment-938360 Share on other sites More sharing options...
mrMarcus Posted October 16, 2009 Share Posted October 16, 2009 .htaccess would do it. it's in the name .. allow and disallow users access to specific folders, files, etc. millions of articles on it throughout the web. Link to comment https://forums.phpfreaks.com/topic/177969-php-secure-direct-download-page/#findComment-938362 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.