Page 1 of 4 123 ... LastLast
Results 1 to 10 of 39

Thread: force to download a file

  1. #1
    Join Date
    May 2005
    Location
    Hawaii
    Posts
    52
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default force to download a file

    This is my code and it works, but it only downloads like 20 sec. of the MP3 file. What is wrong?
    PHP Code:
    <?php

    // force to download a file
    $file "http://localhost/test/".$_GET['file']."";

    header("Pragma: public");
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

    header("Content-Type: application/force-download");
    header"Content-Disposition: attachment; filename=".basename($file));

    header"Content-Description: File Transfer");
    @
    readfile($file);

    ?>
    EDIT: FOUND ALTERNET CODE, PLEASE DON'T REPLY
    Last edited by dead-poetic; 11-18-2005 at 01:46 AM.

  2. #2
    Join Date
    Aug 2005
    Location
    Other Side of My Monitor
    Posts
    3,486
    Thanks
    5
    Thanked 105 Times in 104 Posts
    Blog Entries
    1

    Default

    AHHHHH!! Would you mind posting the code you found? or a link to it?? I am having the exact same problem, and I can't find another code that will download the full item!!!
    {CWoT - Riddle } {OSTU - Psycho} {Invasion - Team}
    Follow Me on Twitter: @Negative_Chaos
    PHP Code:
    $result mysql_query("SELECT finger FROM hand WHERE id=3");
    echo 
    $result

  3. #3
    Join Date
    May 2005
    Location
    Hawaii
    Posts
    52
    Thanks
    0
    Thanked 0 Times in 0 Posts

  4. #4
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by dead-poetic
    Do not use that code under any circumstances. It introduces a security hole into your site by allowing a user to download any file that your server has permission to read. That includes returning PHP source code (and any secrets contained therein).

    The best way to solve this problem is to educate your users. Tell them to "Right-click and select 'Save As...'.", or similar. It's simply not possible to 'force' a download in all cases, especially because IE doesn't implement HTTP properly (extraordinary behaviour for a browser!).

    Mike

  5. #5
    Join Date
    Aug 2005
    Location
    Other Side of My Monitor
    Posts
    3,486
    Thanks
    5
    Thanked 105 Times in 104 Posts
    Blog Entries
    1

    Default

    EEEK! That is scary! BUT...

    couldn't you put something like:

    Code:
    $path = $HTTP_GET_VARS['filename'];
    $path = str_replace('/', '', $path);
    $path = str_replace('\\', '', $path);
    $path = "c:/archive/".$path;
    as this would eliminate the slashes, and thus only allowed downloads of files in the specified folder???? Then if all you had in that folder was an index and the file you wanted downloaded... would that work?
    {CWoT - Riddle } {OSTU - Psycho} {Invasion - Team}
    Follow Me on Twitter: @Negative_Chaos
    PHP Code:
    $result mysql_query("SELECT finger FROM hand WHERE id=3");
    echo 
    $result

  6. #6
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    As the page says...
    If you expose this in a URL you are essentially posting a large sign titled "Hack me!"

    What to do? Use literal values to represent your files that you would access, thus a value of "1" would represent the file xyz.pdf, a value of "2" would represent the file abc.mp3, and so on. Thus the only DOWNLOADABLE files are those specifically HARD-CODED in your script.
    You would want to add in checks here, either "hard-coded" values as mentioned above, or only files starting with, for example, "dlable_". Also, you need to remove all instances of "./" and "../" from the file path.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  7. #7
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by BLiZZaRD
    BUT...

    couldn't you [...] eliminate the slashes, and thus only allowed downloads of files in the specified folder????
    There's more than one way in which that code could be secured, but it still doesn't address the fact that it isn't reliable.

    If you have a directory full of files that are meant for downloading, it's simpler to use a .htaccess file:

    Code:
    <Files *.jpeg>
      ForceType application/octet-stream
      Header set Content-Disposition attachment
    </Files>
    This would prompt a download dialogue box for files ending in .jpeg in that directory (and deeper directories) in the majority of cases. Reminding users to use the 'Save as...' item in their context menu should take care of the rest.

    You can use the FilesMatch directive to alter the headers for more than one file type, or remove the Files directive completely if all files in the same (or deeper) directory as the .htaccess file should be downloaded (that is, a dedicated downloads directory).

    Mike

  8. #8
    Join Date
    Aug 2006
    Posts
    130
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    hmm how do you get this .htaccess to work?I dont have any .htaccess file on my server, do i just have to create a .htaccess and type in:
    "<Files *.jpeg>
    ForceType application/octet-stream
    Header set Content-Disposition attachment
    </Files>"
    in the file and then upload it to my server? and what should the .htaccess file be named?
    I want people to be able to force download one special type of files.

    Sorry for all the probably stupid questions but one week ago I didnt even know how to create anything.
    Last edited by Dennis_Gull; 08-20-2006 at 12:52 PM.

  9. #9
    Join Date
    Sep 2005
    Posts
    882
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    Your server has to be Apache and has to allow you access to .htaccess. The file is simply named .htaccess

  10. #10
    Join Date
    Aug 2006
    Posts
    130
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Okay is there any other safe way to make stuff get force download from just one folder or one type of files.
    There should be some code you could write in a download.php file and still be safe.. I've seen a lot of big sites use it.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •