Jump to content

Recommended Posts

  • 2 weeks later...

1) <?php

error_reporting(E_ALL);

###############################################################

# File Download 1.31

###############################################################

# Visit http://www.zubrag.com/scripts/ for updates

###############################################################

# Sample call:

#    download.php?f=phptutorial.zip

#

# Sample call (browser will try to save with new file name):

#    download.php?f=phptutorial.zip&fc=php123tutorial.zip

###############################################################

 

// Allow direct file download (hotlinking)?

// Empty - allow hotlinking

// If set to nonempty value (Example: example.com) will only allow downloads when referrer contains this text

define('ALLOWED_REFERRER', '');

 

// Download folder, i.e. folder where you keep all files for download.

// MUST end with slash (i.e. "/" )

define('BASE_DIR','/users/uname/uploads/');

 

// log downloads?  true/false

define('LOG_DOWNLOADS',true);

 

// log file name

define('LOG_FILE','downloads.log');

 

// Allowed extensions list in format 'extension' => 'mime type'

// If myme type is set to empty string then script will try to detect mime type

// itself, which would only work if you have Mimetype or Fileinfo extensions

// installed on server.

$allowed_ext = array (

 

  // archives

  'zip' => 'application/zip',

 

  // documents

  'pdf' => 'application/pdf',

  'doc' => 'application/msword',

  'xls' => 'application/vnd.ms-excel',

  'ppt' => 'application/vnd.ms-powerpoint',

 

  // executables

  'exe' => 'application/octet-stream',

 

  // images

  'gif' => 'image/gif',

  'png' => 'image/png',

  'jpg' => 'image/jpeg',

  'jpeg' => 'image/jpeg',

 

  // audio

  'mp3' => 'audio/mpeg',

  'wav' => 'audio/x-wav',

 

  // video

  'mpeg' => 'video/mpeg',

  'mpg' => 'video/mpeg',

  'mpe' => 'video/mpeg',

  'mov' => 'video/quicktime',

  'avi' => 'video/x-msvideo'

);

 

 

 

####################################################################

###  DO NOT CHANGE BELOW

####################################################################

 

// If hotlinking not allowed then make hackers think there are some server problems

if (ALLOWED_REFERRER !== ''

&& (!isset($_SERVER['HTTP_REFERER']) || strpos(strtoupper($_SERVER['HTTP_REFERER']),strtoupper(ALLOWED_REFERRER)) === false)

) {

  die("Internal server error. Please contact system administrator.");

}

 

// Make sure program execution doesn't time out

// Set maximum script execution time in seconds (0 means no limit)

set_time_limit(0);

 

if (!isset($_GET['f']) || empty($_GET['f'])) {

  die("Please specify file name for download.");

}

 

// Nullbyte hack fix

if (strpos($_GET['f'], "\0") !== FALSE) die('');

 

// Get real file name.

// Remove any path info to avoid hacking by adding relative path, etc.

$fname = basename($_GET['f']);

 

// Check if the file exists

// Check in subfolders too

function find_file ($dirname, $fname, &$file_path) {

  $dir = opendir("http://www.mysite.com/uploader/users/uname/uploads/iamge.png");

 

  while ($file = readdir($dir)) {

    if (empty($file_path) && $file != '.' && $file != '..') {

      if (is_dir($dirname.'/'.$file)) {

        find_file($dirname.'/'.$file, $fname, $file_path);

      }

      else {

        if (file_exists($dirname.'/'.$fname)) {

          $file_path = $dirname.'/'.$fname;

          return;

        }

      }

    }

  }

 

} // find_file

 

// get full file path (including subfolders)

$file_path = '';

find_file(BASE_DIR, $fname, $file_path);

 

 

 

// file size in bytes

$fsize = filesize($file_path);

 

// file extension

$fext = strtolower(substr(strrchr($fname,"."),1));

 

// check if allowed extension

if (!array_key_exists($fext, $allowed_ext)) {

  die("Not allowed file type.");

}

 

// get mime type

if ($allowed_ext[$fext] == '') {

  $mtype = '';

  // mime type is not set, get from server settings

  if (function_exists('mime_content_type')) {

    $mtype = mime_content_type($file_path);

  }

  else if (function_exists('finfo_file')) {

    $finfo = finfo_open(FILEINFO_MIME); // return mime type

    $mtype = finfo_file($finfo, $file_path);

    finfo_close($finfo); 

  }

  if ($mtype == '') {

    $mtype = "application/force-download";

  }

}

else {

  // get mime type defined by admin

  $mtype = $allowed_ext[$fext];

}

 

// Browser will try to save file with this filename, regardless original filename.

// You can override it if needed.

 

if (!isset($_GET['fc']) || empty($_GET['fc'])) {

  $asfname = $fname;

}

else {

  // remove some bad chars

  $asfname = str_replace(array('"',"'",'\\','/'), '', $_GET['fc']);

  if ($asfname === '') $asfname = 'NoName';

}

 

// set headers

header("Pragma: public");

header("Expires: 0");

header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

header("Cache-Control: public");

header("Content-Description: File Transfer");

header("Content-Type: $mtype");

header("Content-Disposition: attachment; filename=\"$asfname\"");

header("Content-Transfer-Encoding: binary");

header("Content-Length: " . $fsize);

 

// download

// @readfile($file_path);

$file = @fopen($dir,"rb");

if ($file) {

  while(!feof($file)) {

    print(fread($file, 1024*8));

    flush();

    if (connection_status()!=0) {

      @fclose($file);

      die();

    }

  }

  @fclose($file);

}

 

// log downloads

if (!LOG_DOWNLOADS) die();

 

$f = @fopen(LOG_FILE, 'a+');

if ($f) {

  @fputs($f, date("m.d.Y g:ia")."  ".$_SERVER['REMOTE_ADDR']."  ".$fname."\n");

  @fclose($f);

}

 

?>

2)

3) errors:

Warning: opendir(users/uname/uploads/iamge.png) [function.opendir]: failed to open dir: Not a directory in /homepages/45/d222365928/htdocs/uploader/download.php on line 98

 

Warning: readdir(): supplied argument is not a valid Directory resource in /homepages/45/d222365928/htdocs/uploader/download.php on line 100

 

Warning: Cannot modify header information - headers already sent by (output started at /homepages/45/d222365928/htdocs/uploader/download.php:98) in /homepages/45/d222365928/htdocs/uploader/download.php on line 167

 

Warning: Cannot modify header information - headers already sent by (output started at /homepages/45/d222365928/htdocs/uploader/download.php:98) in /homepages/45/d222365928/htdocs/uploader/download.php on line 168

 

Warning: Cannot modify header information - headers already sent by (output started at /homepages/45/d222365928/htdocs/uploader/download.php:98) in /homepages/45/d222365928/htdocs/uploader/download.php on line 169

 

Warning: Cannot modify header information - headers already sent by (output started at /homepages/45/d222365928/htdocs/uploader/download.php:98) in /homepages/45/d222365928/htdocs/uploader/download.php on line 170

 

Warning: Cannot modify header information - headers already sent by (output started at /homepages/45/d222365928/htdocs/uploader/download.php:98) in /homepages/45/d222365928/htdocs/uploader/download.php on line 171

 

Warning: Cannot modify header information - headers already sent by (output started at /homepages/45/d222365928/htdocs/uploader/download.php:98) in /homepages/45/d222365928/htdocs/uploader/download.php on line 172

 

Warning: Cannot modify header information - headers already sent by (output started at /homepages/htdocs/uploader/download.php:98) in /homepages/45/d222365928/htdocs/uploader/download.php on line 173

 

Warning: Cannot modify header information - headers already sent by (output started at /homepages/htdocs/uploader/uploader/download.php:98) in /homepages/45/d222365928/htdocs/uploader/download.php on line 174

 

Warning: Cannot modify header information - headers already sent by (output started at /homepages/htdocs/uploader/uploader/download.php:98) in /homepages/45/d222365928/htdocs/uploader/download.php on line 175

Notice: Undefined variable: dir in /homepages/45/d222365928/htdocs/uploader/download.php on line 179

4) i remove all of the @'s, such as in: "@fclose($file);"?what are they used for?

Link to comment
https://forums.phpfreaks.com/topic/241429-file-download/#findComment-1245627
Share on other sites

Warning: opendir(users/uname/uploads/iamge.png) [function.opendir]: failed to open dir: Not a directory in /homepages/45/d222365928/htdocs/uploader/download.php on line 98

Warning: readdir(): supplied argument is not a valid Directory resource in /homepages/45/d222365928/htdocs/uploader/download.php on line 100

Notice: Undefined variable: dir in /homepages/45/d222365928/htdocs/uploader/download.php on line 179

Those are the errors you need to fix. You can ignore the "cannot modify header information" messages.

Link to comment
https://forums.phpfreaks.com/topic/241429-file-download/#findComment-1245754
Share on other sites

  • 2 weeks later...

for the first error message, i have this code:

 

$dir = opendir("http://www.mysite.com/uploader/users/user/uploads/iamge.png");

 

i used the exact address of the site.  yet, i get:

 

Warning: opendir(http://www.mysite.com/uploader/users/user/uploads/iamge.png) [function.opendir]: failed to open dir: not implemented in /homepages/45/d222365928/htdocs/uploader/download.php on line 98

 

it should be able to open it... but what does "not implemented in..." mean?

Link to comment
https://forums.phpfreaks.com/topic/241429-file-download/#findComment-1251333
Share on other sites

opendir expects the path to the directory that is to be opened. Directories are accessed using the operating system. You are trying to use a URL and in fact you are specifying a URL to an image - iamge.png. Even if you could use a URL with opendir, giving it the URL to an image is not what opendir is used for.

Link to comment
https://forums.phpfreaks.com/topic/241429-file-download/#findComment-1251347
Share on other sites

that sounds dangerous, letting people access your hard drive.

Well then you best take down your website before anybody else accesses it! :D

 

If you're smart and careful with the paths then you'll be okay. Validation and sanitization are your friends.

Link to comment
https://forums.phpfreaks.com/topic/241429-file-download/#findComment-1251374
Share on other sites

PHP running on the server cannot access files on your computer. That's why you have to upload them. I was pointing out that anytime someone accesses your website they're accessing something on the hard drive.

 

Person uploads file. Server receives file and PHP automatically puts it into a temporary place. Script checks the file, makes sure it's acceptable, and (if so) moves it to its final destination.

Link to comment
https://forums.phpfreaks.com/topic/241429-file-download/#findComment-1254421
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.