How to make php files download rather than execute?

[andre1990]

Hey guys,

 

im starting out on my php journey with a small question.

 

I have a small uploading site and i want to allow php uploads. Once uploaded, you get a direct upload link, and i want the file to download, rather than execute.

 

How can this be done?

 

Thanks!

[cunoodle2]

Can you re-name the files ".php.txt" and then just tell the user they need to rename them upon download?

That or zip them up?

If the file has a .php extension your server will treat them that way and execute them as apposed to allowing the actual file to be downloaded.

 

I'd also suggest trying to get the user's email address and simply emailing the file (as an attachment) to the user.  This would allow the actual .php file to be mailed out and also allow you to capture user data.

[jcbones]

Have you tried using the readfile() function?  I don't think it would be parse, but I could be wrong.

[andre1990]

Hi guys, before i continue. Im not very good at all really with php, still learning. This is my currently upload.php file. Would you mind just running your eyes over it for security? Im currently using .htaccess codes to block php execution...the script as it stands seems to allow .php.jpeg being uploaded, but not .jpg.php.

 

<?php
ob_start();

session_start();

$extensions = array("jpg", "png","jpeg", "gif", "zip", "rar", "swf", "tiff", "bmp", "txt", "fla", "7z", "tar", "gz", "iso", "dmg", "mp3", "wav", "m4a", "aac", "doc", "docx", "xls", "rtf", "ppt", "bsd", "exe", "psd", "c4d", "pdf", "dwg", "max", "ipa", "vtf", "iam", "ipt", "flv", "scr");
$maxsize = 104288000;
$server = "http://www.andre1990.com";

$name = $_FILES['file']['name'];
$temp = $_FILES['file']['tmp_name'];
$size = $_FILES['file']['size'];

$random = md5(uniqid(rand(), true));
$random = substr($random, 0, 20);

if (!$name || !$temp || !$size)
{
   header("Location: index.php?feedback=Please select a file.");
   exit();
}

foreach ($_FILES as $file)
{
if ($file['tmp_name'] != null) 
{
$thisext1=explode(".", strtolower($file['name']));
$thisext=$thisext1[count($thisext1)-1];
  if (!in_array($thisext, $extensions))
  {
       header(sprintf("Location: index.php?feedback=The file extension \"%s\" is not allowed.", $thisext));
       exit();
  }
}
}

if ($size > $maxsize)
{
   header("Location: index.php?feedback=The file size is too large.");
   exit();
}

$destination = "Uploads/".$random;
mkdir($destination);
move_uploaded_file($temp, $destination."/".$name);

$final = $server."/".$destination."/".$name;

?>

<?php ob_start(); ?>

<!DOCTYPE html>
<html>
<head>
<title>File Uploaded!</title>
<link rel="stylesheet" href="style.css" type="text/css">
<link REL="SHORTCUT ICON" HREF="images/favicon.ico">
</head>
<body>
<div id="topbar">
	<div class="content">
		<div class="logo"><img src="images/logo.png" height="90"/></div>
	</div>
</div>
<div id="navbar">
	<ul>
		<li><a href="http://www.andre1990.com" id="active">Uploaded! Back Home?</a></li>
		<li><a href="http://www.andre1990.com/tos.php">TOS</a></li>
		<li><a href="http://www.andre1990.com/faq.php">FAQ</a></li>
		<li><a href="http://www.andre1990.com/contact.php">Contact Us</a></li>
		<li><a href="http://www.andre1990.com/donate.php">Donate</a></li>
	</ul>
</span>
</center>
<div id="main"><center>
     <div id="side1"><br><BR><BR>
<br /><strong>Uploaded!</strong><br />       
        <span class="small">
        <br />
        Direct download/view:<br />
        <input type="text" size="28" onClick=select() value="<?php echo $final; ?>" READONLY><p />
        Forum Code download/view:<br /><br />
        <input type="text" size="38" onClick=select() value="[url]<?php echo $final; ?>[/url]" READONLY><p />
        <a href="index.php">Upload another file?</a>
        </span>	
			<div class="clear"></div></center>
		</div></CENTER>
<br><center><span class="small">© andre1990.</span></center>
<center><a href="http://www.facebook.com/pages/andre1990/186225441417890"><img src="images/facebook.ico"></a></center>
	</div>
	</div>
	<div class="clear"></div>
</div>
</body>
<html>