Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

0

PHP Force Download of PDF, JPEG Tutorial

Started by signature16, Oct 12 2006 01:39 PM

You cannot reply to this topic
Go to first unread post

6 replies to this topic

#1 signature16

Young Padawan

Members
180 posts

Gender:Male
Location:San Diego

Posted 12 October 2006 - 01:39 PM

I have tried follow both of these tutorials:

http://www.sometricks.com/2006/04/23/downl...the-web-browser

http://www.codeless....hread.php?t=591

When I set them up, they both work using Mozilla Firefox, but when I try to download files using that script in Internet Explorer, it just downloads the php file instead?!

Can somebody help me out?

download.php

<?php
// Type, leave this unchanged
header('Content-type: application/force-download');

// What the file will be called if downloaded
$file=$_GET["file"];
if(file_exists($file)){
header('Content-Disposition: attachment; filename="'.$file.'"');

// The file source...
readfile($file);
}
?>

part of page.php

<td width="50%"><a href="pages/articles/download.php?file=doc/how_stress_can_lead_to_pain.doc">Word</a></td>
		  <td width="50%"><a href="pages/articles/download.php?file=pdf/how_stress_can_lead_to_pain.pdf">PDF</a></td>

Here is how my directory is setup:

index.php
>pages
>>articles
>>>pdf
>>>doc

Index.php pulls files in the pages directory according to a query. i dont know if that effects it all.

I didn't get a reply on my last post, so hopefully I won't have to spend two weeks reading 1/2 of the internet to find the answer.

Back to top

#2 Demonslay

P2L Jedi

Members
970 posts

Gender:Male
Location:A strange world where water falls out of the sky... for no reason.
Interests:Graphic Design, Coding, Splinter Cell, Cats

Posted 12 October 2006 - 05:24 PM

Try moving the first header bit into the if block. Makes sense to me.

Back to top

#3 cheerio

Young Padawan

Members
246 posts

Gender:Male

Posted 12 October 2006 - 06:03 PM

somebody can hack that

Back to top

#4 Hayden

P2L Jedi

Members
716 posts

Gender:Male
Location:Texas

Posted 12 October 2006 - 11:49 PM

Here's the one that I use on my site and an example can be found here:

http://www.spatialvisionary.com/2006/06/06...eresting-email/

the 'Download Audio' link

switch ($_GET["media"]) {
	case "pdf": $ctype="application/pdf"; DEFINE("_FOLDER_","/docs/"); break;
	case "zip": $ctype="application/zip"; break;
	case "doc": $ctype="application/msword"; DEFINE("_FOLDER_","/docs/"); break;
	case "xls": $ctype="application/vnd.ms-excel"; DEFINE("_FOLDER_","/docs/"); break;
	case "ppt": $ctype="application/vnd.ms-powerpoint"; DEFINE("_FOLDER_","/docs/"); break;
	case "gif": $ctype="image/gif"; DEFINE("_FOLDER_","/images/"); break;
	case "png": $ctype="image/png"; DEFINE("_FOLDER_","/images/"); break;
	case "jpe":
	case "jpg":
	case "jpeg": $ctype="image/jpg"; DEFINE("_FOLDER_","/images/"); break;
	case "wmv": $ctype = "video/x-ms-wmv"; DEFINE("_FOLDER_","/media/"); break;
	case "mp3": $ctype = "audio/mpeg"; DEFINE("_FOLDER_","/media/");
	case "mpg": $ctype = "video/mpeg"; DEFINE("_FOLDER_","/media/"); break;
	default: $ctype="application/force-download";
}
$file = _FOLDER_.$_GET['file'];
$fileurl = "http://".$_SERVER["HTTP_HOST"].$file;
if (file_exists($file)) {
	header("Pragma: public"); 
	header("Expires: 0"); 
	header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 
	header("Cache-Control: private",false); 
	header("Content-Type: $ctype"); 
	header("Content-Disposition: attachment; filename=\"".basename($file)."\";"); 
	header("Content-Transfer-Encoding: binary"); 
	header("Content-Length: ".@filesize($file)); 
	set_time_limit(0); 
	@readfile("$file") or die("File not found."); 
	exit;
}
else { die("Filename ".$_GET['file']." Not Found!"); }

EDIT: Added the if statment to check if the file even exists.

Edited by SpatialVisionary, 12 October 2006 - 11:57 PM.

Back to top

#5 cheerio

Young Padawan

Members
246 posts

Gender:Male

Posted 14 October 2006 - 02:17 PM

Because you are using $_GET['file'] for your file name, somebody can put 'index.php' as their filename and download your index file or other important files.

Back to top

#6 signature16

Young Padawan

Members
180 posts

Gender:Male
Location:San Diego

Posted 14 October 2006 - 02:27 PM

I tired this one too and it didnt work with ie.

http://www.dannyison...ceddownload.php

SpatialVisionary: The audio file won't download, can you explain how to use the script?

Back to top

#7 Hayden

P2L Jedi

Members
716 posts

Gender:Male
Location:Texas

Posted 15 October 2006 - 02:29 AM

signature16, on Oct 14 2006, 02:27 PM, said:

I tired this one too and it didnt work with ie.

http://www.dannyison...ceddownload.php

SpatialVisionary: The audio file won't download, can you explain how to use the script?

http://www.spatialvisionary.com/download.p...estilltrust.wmv

that's how i'm using it on my site. the media has to be one of the 3 letter codes in the case statement and the file is........well.....the filename

sorry about the script not working, when I started looking at the code again I decided to add a couple of lines to check if the file even exists first before attempting to download.

edit: Thanks to rc69, I found a nasty exploit in the previous script.

here's the updated code:

<?
define("_ROOT_", $_SERVER['DOCUMENT_ROOT']);
$media = trim(htmlspecialchars($_GET["media"]));
switch ($media) {
	case "pdf": $ctype="application/pdf"; define("_FOLDER_","/docs/"); define("DOWNLOAD", true); break;
	case "zip": $ctype="application/zip"; define("_FOLDER_","/zips/"); define("DOWNLOAD", true); break;
	case "doc": $ctype="application/msword"; define("_FOLDER_","/docs/"); define("DOWNLOAD", true); break;
	case "xls": $ctype="application/vnd.ms-excel"; define("_FOLDER_","/docs/"); define("DOWNLOAD", true); break;
	case "ppt": $ctype="application/vnd.ms-powerpoint"; define("_FOLDER_","/docs/"); define("DOWNLOAD", true); break;
	case "gif": $ctype="image/gif"; define("_FOLDER_","/images/"); define("DOWNLOAD", true); break;
	case "png": $ctype="image/png"; define("_FOLDER_","/images/"); define("DOWNLOAD", true); break;
	case "jpe":
	case "jpg":
	case "jpeg": $ctype="image/jpg"; define("_FOLDER_","/images/"); define("DOWNLOAD", true); break;
	case "wmv": $ctype = "video/x-ms-wmv"; define("_FOLDER_","/media/"); define("DOWNLOAD", true); break;
	case "mp3": $ctype = "audio/mpeg"; define("_FOLDER_","/media/"); define("DOWNLOAD", true); break;
	case "mpg": $ctype = "video/mpeg"; define("_FOLDER_","/media/"); define("DOWNLOAD", true); break;
	default: ?><p style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; font-weight: bold; color: #ff0000; ">Invaid file type or filename.</p><? break;
}
$file = _ROOT_._FOLDER_.basename($_GET['file']);
if (file_exists($file) && defined("DOWNLOAD")) {
	list($filename, $ext) = explode(".", basename($file));
	if($media == $ext) {
		header("Pragma: public"); 
		header("Expires: 0"); 
		header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 
		header("Cache-Control: private",false); 
		header("Content-Type: $ctype"); 
		header("Content-Disposition: attachment; filename=\"".basename($file)."\";"); 
		header("Content-Transfer-Encoding: binary"); 
		header("Content-Length: ".@filesize($file)); 
		set_time_limit(0); 
		@readfile($file) or die("File not found."); 
		exit;
	}
	else { ?><p style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; font-weight: bold; color: #ff0000; ">Invaid file type or filename.</p><? }
}
else { die("Filename '".basename($file)."' Not Found!"); }
?>

Edited by SpatialVisionary, 16 October 2006 - 02:00 PM.

Back to top

Back to Programming and General Web Design · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users