By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,559 Members | 1,180 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,559 IT Pros & Developers. It's quick & easy.

Download

P: n/a
Rod
Hi,

I have a script that download any file to the user according to the
parameters.
I call the script like this:
download.php?file=xxx/myfile.doc&file_short=myfile.doc

My script is working fine except with N4.7
It opens the download box, but the name is download.php instead of
myfile.doc
I found the same bug with N7 on the Net. The workaround is to call the
script with "/" :
download.php/?file=xxx/myfile.doc&file_short=myfile.doc

It solves the problem with N7, but with N4.7, the only difference is with
the name. Now it is :
download_php.htm

If I specify the content type related to the file, it works fine. But I
can't do that because the file type can be anything.
It can be a word, excel or pdf file etc etc
Do you have any idea or a script to automatically set the content-type
according to the file extension ?

here is my script:
Header("Content-Type: application/octet-stream");
Header("Content-Length: ".filesize($_GET['file']));
Header("Content-Disposition: attachment; filename=".$_GET['file_short']);
readfile($_GET['file']);

Many thanks nad sorry for this bad english

Rod

Jul 16 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
On Tue, 16 Sep 2003 11:37:40 +0200 in
<message-id:bk**********@home.itg.ti.com>
"Rod" <to**@toto.com> wrote:
Hi,

I have a script that download any file to the user according to the
parameters.
I call the script like this:
download.php?file=xxx/myfile.doc&file_short=myfile.doc

[ snip ]

here is my script:
Header("Content-Type: application/octet-stream");
Header("Content-Length: ".filesize($_GET['file']));
Header("Content-Disposition: attachment;
filename=".$_GET['file_short']); readfile($_GET['file']);

Many thanks nad sorry for this bad english

Rod

Don't know what the problem is, but have you not thought about
security!?!?
download.php?file=/etc/passwd&file_short=passwd

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.
Jul 16 '05 #2

P: n/a
Rod
Hi,

thanks you for your answer.
Actually, I found the problem.
The real filenames contain space so you need to use the URLENCODE function
before calling the download.php script.
Otherwise, the $GET function returns an empty string when trying to get the
parameters. (only with N4.7)

Regarding the security, your're right!
Actually, what I did is an application that browse a specific directory with
all its sub-directories.
When the user clickes on a file within a directory, it is downloaded.
I think I should check that there are no ".." characters in the filename to
be sure the file is in a sub-directory of the main directory.
Do you think it is enough?
any idea?
thanks again

Rod
"Ian.H [dS]" <ia*@WINDOZEdigiserv.net> wrote in message
news:20030916124658.5a8f51c8.ia*@WINDOZEdigiserv.n et...
On Tue, 16 Sep 2003 11:37:40 +0200 in
<message-id:bk**********@home.itg.ti.com>
"Rod" <to**@toto.com> wrote:
Hi,

I have a script that download any file to the user according to the
parameters.
I call the script like this:
download.php?file=xxx/myfile.doc&file_short=myfile.doc

[ snip ]

here is my script:
Header("Content-Type: application/octet-stream");
Header("Content-Length: ".filesize($_GET['file']));
Header("Content-Disposition: attachment;
filename=".$_GET['file_short']); readfile($_GET['file']);

Many thanks nad sorry for this bad english

Rod

Don't know what the problem is, but have you not thought about
security!?!?
download.php?file=/etc/passwd&file_short=passwd

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.

Jul 16 '05 #3

P: n/a
On Tue, 16 Sep 2003 14:03:34 +0200 in
<message-id:bk**********@home.itg.ti.com>
"Rod" <to**@toto.com> wrote:
Hi,

thanks you for your answer.
Actually, I found the problem.
The real filenames contain space so you need to use the URLENCODE
function before calling the download.php script.
Otherwise, the $GET function returns an empty string when trying to
get the parameters. (only with N4.7)

Ahh interesting Rod, but it makes sense. I personally try and avoid
files with spaces like the plague, and use a _ (underscore) instead
(file_name.txt etc).. althoguh this might not be an option for you
(depending on the nature of your site).


Regarding the security, your're right!
Actually, what I did is an application that browse a specific
directory with all its sub-directories.
When the user clickes on a file within a directory, it is downloaded.
I think I should check that there are no ".." characters in the
filename to be sure the file is in a sub-directory of the main
directory. Do you think it is enough?
any idea?
thanks again

Are you the admin of the server Rod? If so, it migt be worth thinking
about the safemode and open_basedir options in php.ini which will hyelp
you define what dirs a script can access. You need to define an
"absolute base" somewhere safe.. even if it's a directory like:
'/foo/repository'. Let them browse 'til their heart's content, but don't
let them out of it. Again, this might not be a possability, I really
don't know the nature of your script or what kind of filesystem access
you're giving people or what they need.

Checking for '.' and '..' are important.. something like:
if (substr($file, 0, 1) != '.' || substr($file, 0, 2) != '..') {
/* display non . | .. directories and non dotfiles (.htaccess) */
}
Assumptions made here with $file for demo purposes, but this is how I
at least start with scripts that read directory contents.

I'm writing a filemanager for a Web control panel app I'm coding, this
will be defined as the users Webroot dir as the base
(/home/someone/html). They'll be able to browse any files / dirs within
there (including dotfiles as they'll own them) but they won't be able to
access '/home/someone' for example. This prevents them "leaking" around
the rest of the file system too.

</2p_worth>

Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.
Jul 16 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.