How to prevent media link from playing when clicked

[t_machine]

hi, I am wondering if anyone can help with this problem. I have a downloads page that lists media files(.mp3, .mov). The problem is that when the user clicks the link, the file opens inside their media player. How can I let the user see the "save as" dialog box instead of immediately playing the file.

 

Thanks for any help:)

[thebadbad]

You can have a look at the notes/comments at php.net/readfile. There's lots of 'force download' scripts.

[Orio]

Check this out:

http://elouai.com/force-download.php

 

Works great.

 

Orio.

[thebadbad]

Orio, the script you linked to seems to have NO security concerning "../" paths and simple downloads of critical PHP files. Like the site mentions (but doesn't implement in the final script?!), you should always specify allowed download files, for example by serving allowed files via numbers (or different identifiers), and NOT file paths. Like serving the first specified allowed file when calling downloadscript.php?file=1 and so on.

[ToonMariner]

thebadbad - you can always put you own methdo for loacting the file to be downloaded and do checks etc...

 

The essential stuff is there - just modify to suit your needs.

[t_machine]

Thank you all very much for the help. The script Orio posted works perfect but I too am worried about the security issue.

My links are taken from a database so they are not included in the $_GET or $_POST method.

Will this still be a security issue for my site?

 

Example:

..mysql query

 

$filename = $row['url'];

 

I then use that $filename for the rest of the script. Will I be fine with that setup?

 

Thanks

[atlanta]

do this in a php file

 

 

add your code then do

 

<?php
$filename = $row['url'];
header('Content-type: application/octet-stream');
header('Content-Disposition: attachment; filename='.$filename.'');
readfile($filename);
?>

[Orio]

Orio, the script you linked to seems to have NO security concerning "../" paths and simple downloads of critical PHP files. Like the site mentions (but doesn't implement in the final script?!), you should always specify allowed download files, for example by serving allowed files via numbers (or different identifiers), and NOT file paths. Like serving the first specified allowed file when calling downloadscript.php?file=1 and so on.

 

I've attached the link because it works great when it comes to force downloads. Obviously when I used it in the past I've changed it completely- because most of the times I had to do stuff the concern MySQL etc'.

But the headers over there and all of the other settings the script is making makes force downloads work with all of the browsers and many file-types. That's why I think it's worth a look, and some copy-pasting

 

Orio.

[thebadbad]

Orio, it wasn't my intent to sound criticizing at all, the script you posted is useful and relevant 

I just wanted to make sure that t_machine knew about the security issues, in case he'd just copied and pasted the code. Who knows, he could be a newbie