force to download a file

**dead-poetic** · 11-17-2005, 09:41 PM

This is my code and it works, but it only downloads like 20 sec. of the MP3 file. What is wrong?

PHP Code:


<?php



// force to download a file

$file = "http://localhost/test/".$_GET['file']."";



header("Pragma: public");

header("Expires: 0");

header("Cache-Control: must-revalidate, post-check=0, pre-check=0");



header("Content-Type: application/force-download");

header( "Content-Disposition: attachment; filename=".basename($file));



header( "Content-Description: File Transfer");

@readfile($file);



?>

EDIT: FOUND ALTERNET CODE, PLEASE DON'T REPLY

**BLiZZaRD** · 11-23-2005, 02:32 PM

AHHHHH!! Would you mind posting the code you found? or a link to it?? I am having the exact same problem, and I can't find another code that will download the full item!!!

**dead-poetic** · 11-23-2005, 08:37 PM

http://elouai.com/force-download.php

**mwinter** · 11-24-2005, 12:44 AM

Originally Posted by dead-poetic

http://elouai.com/force-download.php

Do not use that code under any circumstances. It introduces a security hole into your site by allowing a user to download any file that your server has permission to read. That includes returning PHP source code (and any secrets contained therein).

The best way to solve this problem is to educate your users. Tell them to "Right-click and select 'Save As...'.", or similar. It's simply not possible to 'force' a download in all cases, especially because IE doesn't implement HTTP properly (extraordinary behaviour for a browser!).

Mike

**BLiZZaRD** · 11-24-2005, 09:01 AM

EEEK! That is scary! BUT...

couldn't you put something like:

Code:

$path = $HTTP_GET_VARS['filename'];
$path = str_replace('/', '', $path);
$path = str_replace('\\', '', $path);
$path = "c:/archive/".$path;

as this would eliminate the slashes, and thus only allowed downloads of files in the specified folder???? Then if all you had in that folder was an index and the file you wanted downloaded... would that work?

**Twey** · 11-24-2005, 04:01 PM

As the page says...

If you expose this in a URL you are essentially posting a large sign titled "Hack me!"

What to do? Use literal values to represent your files that you would access, thus a value of "1" would represent the file xyz.pdf, a value of "2" would represent the file abc.mp3, and so on. Thus the only DOWNLOADABLE files are those specifically HARD-CODED in your script.

You would want to add in checks here, either "hard-coded" values as mentioned above, or only files starting with, for example, "dlable_". Also, you need to remove all instances of "./" and "../" from the file path.

**mwinter** · 11-24-2005, 05:53 PM

Originally Posted by BLiZZaRD

BUT...

couldn't you [...] eliminate the slashes, and thus only allowed downloads of files in the specified folder????

There's more than one way in which that code could be secured, but it still doesn't address the fact that it isn't reliable.

If you have a directory full of files that are meant for downloading, it's simpler to use a .htaccess file:

Code:

<Files *.jpeg>
  ForceType application/octet-stream
  Header set Content-Disposition attachment
</Files>

This would prompt a download dialogue box for files ending in .jpeg in that directory (and deeper directories) in the majority of cases. Reminding users to use the 'Save as...' item in their context menu should take care of the rest.

You can use the FilesMatch directive to alter the headers for more than one file type, or remove the Files directive completely if all files in the same (or deeper) directory as the .htaccess file should be downloaded (that is, a dedicated downloads directory).

Mike

**Dennis_Gull** · 08-20-2006, 12:40 PM

hmm how do you get this .htaccess to work?I dont have any .htaccess file on my server, do i just have to create a .htaccess and type in:
"<Files *.jpeg>
ForceType application/octet-stream
Header set Content-Disposition attachment
</Files>"
in the file and then upload it to my server? and what should the .htaccess file be named?
I want people to be able to force download one special type of files.

Sorry for all the probably stupid questions but one week ago I didnt even know how to create anything.