File download module works for .ZIP/.TXT but .EXE are always corrupted...

I wrote a file download module for my website. The reason for the
file download module is that my website downloads work on a credit
based system. So I need to keep track of and limit daily downloads.

It uses fpassthru() and some headers() to send a file to the
requesting user. The get.php file that I wrote (the file download
module if you will) works like a charm for .ZIP files and .TXT files.
However, when .EXE files are downloaded they are always corrupt. The
problem exists in both MSIE and Mozilla.

Someone suggested that I have too much code in my get.php file. I
thought this was strange but I tested it nonetheless. It turns out
when I had my get.php file with just the minimal code it worked fine
for all file types: .zip, .txt, .exe.

So I have two options:
1) Use a very very simple get.php with just the necessary
header() and fpassthru() code. This means I need another "buddy
file" that will perform the credit checking, accessing the database
etc. If I use this method I need a way to secure the get.php so that
not just not anyone can call the get.php, but they have to go through
the credit checking. This seems that it would again end up making
the get.php file bloated.

2) Maybe something is wrong with my "bloated" get.php and that is
why .EXE are being corrupted. It seems strange that .ZIP and .TXT
would work fine but .EXE are not. This would definitely be the
easier of the two options I believe, if it possible.

I have had people tell me that:

"You can't have excess code in a file download module"

"It doesnt matter how many code is in the file download module"

So who is correct I ask, and how can I remedy my problem?

Thanks,
Brandon
//THE MINIMAL GET.PHP THAT WORKS LIKE A CHARM FOR ALL FILETYPES:
<?
if (strlen($HTTP_GET_VARS[sub]) > 0)
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" .
$HTTP_GET_VARS[sub] . "/" . $HTTP_GET_VARS[file];
else
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" .
$HTTP_GET_VARS[file];

header("Pragma: ");
header("Cache-Control: ");
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"$HTTP_GET_VARS[file]\"");
header("Content-Length: " . filesize($path));
header ("Connection: close");
//header("Content-Transfer-Encoding: binary\n");
$fp=fopen($path,"rb");
fpassthru($fp);

//THE FILE "BLOATED" GET.PHP:

<?

if (strlen($HTTP_GET_VARS[sub]) > 0)
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" .
$HTTP_GET_VARS[sub] . "/" . $HTTP_GET_VARS[file];
else
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" .
$HTTP_GET_VARS[file];

header("Pragma: ");
header("Cache-Control: ");
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"$HTTP_GET_VARS[file]\"");
header("Content-Length: " . filesize($path));
header ("Connection: close");
//header("Content-Transfer-Encoding: binary\n");

require("config.php");

$result = mysql_query("SELECT credit FROM $db_users WHERE username =
'$HTTP_COOKIE_VARS[username]' AND password =
'$HTTP_COOKIE_VARS[password]'", $db);
$myrow = mysql_fetch_assoc($result);
$credit = $myrow[credit];

if ($credit > 0) {
$credit--;
$result = mysql_query("UPDATE $db_users SET credit = '$credit' WHERE
username = '$HTTP_COOKIE_VARS[username]'", $db);

$result = mysql_query("SELECT downloads FROM $db_files WHERE
file_name = '$HTTP_GET_VARS[file]' AND cat = '$HTTP_GET_VARS[cat]'",
$db); $myrow = mysql_fetch_assoc($result);
$downloads = $myrow[downloads];
$downloads++;
$result = mysql_query("UPDATE $db_files SET downloads =
'$downloads' WHERE file_name = '$HTTP_GET_VARS[file]' AND cat =
'$HTTP_GET_VARS[cat]'", $db);

//readfile(FilePath($HTTP_GET_VARS[cat], $HTTP_GET_VARS[sub],
$HTTP_GET_VARS[file]));
$fp=fopen($path,"rb");
fpassthru($fp);
}else {
echo "Sorry, you do not have access or enough credit for this
download."; }

I wrote a file download module for my website. The reason for the file
download module is that my website downloads work on a credit based system.
So I need to keep track of and limit daily downloads.

It uses fpassthru() and some headers() to send a file to the requesting
user. The get.php file that I wrote (the file download module if you will)
works like a charm for .ZIP files and .TXT files. However, when .EXE files
are downloaded they are always corrupt. The problem exists in both MSIE and
Mozilla.

Someone suggested that I have too much code in my get.php file. I thought
this was strange but I tested it nonetheless. It turns out when I had my
get.php file with just the minimal code it worked fine for all file types:
.zip, .txt, .exe.

So I have two options:
1) Use a very very simple get.php with just the necessary header() and
fpassthru() code. This means I need another "buddy file" that will perform
the credit checking, accessing the database etc. If I use this method I
need a way to secure the get.php so that not just not anyone can call the
get.php, but they have to go through the credit checking. This seems that
it would again end up making the get.php file bloated.

2) Maybe something is wrong with my "bloated" get.php and that is why
.EXE are being corrupted. It seems strange that .ZIP and .TXT would work
fine but .EXE are not. This would definitely be the easier of the two
options I believe, if it possible.

I have had people tell me that:

"You can't have excess code in a file download module"

"It doesnt matter how many code is in the file download module"

So who is correct I ask, and how can I remedy my problem?

Thanks,
Brandon

//THE MINIMAL GET.PHP THAT WORKS LIKE A CHARM FOR ALL FILETYPES:
<?
if (strlen($HTTP_GET_VARS[sub]) > 0)
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" . $HTTP_GET_VARS[sub] .
"/" . $HTTP_GET_VARS[file];
else
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" . $HTTP_GET_VARS[file];

header("Pragma: ");
header("Cache-Control: ");
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"$HTTP_GET_VARS[file]\"");
header("Content-Length: " . filesize($path));
header ("Connection: close");
//header("Content-Transfer-Encoding: binary\n");
$fp=fopen($path,"rb");
fpassthru($fp);
?>

//THE FILE "BLOATED" GET.PHP:

<?

if (strlen($HTTP_GET_VARS[sub]) > 0)
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" . $HTTP_GET_VARS[sub] .
"/" . $HTTP_GET_VARS[file];
else
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" . $HTTP_GET_VARS[file];

header("Pragma: ");
header("Cache-Control: ");
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"$HTTP_GET_VARS[file]\"");
header("Content-Length: " . filesize($path));
header ("Connection: close");
//header("Content-Transfer-Encoding: binary\n");

require("config.php");

$result = mysql_query("SELECT credit FROM $db_users WHERE username =
'$HTTP_COOKIE_VARS[username]' AND password = '$HTTP_COOKIE_VARS[password]'",
$db);
$myrow = mysql_fetch_assoc($result);
$credit = $myrow[credit];

if ($credit > 0) {
$credit--;
$result = mysql_query("UPDATE $db_users SET credit = '$credit' WHERE
username = '$HTTP_COOKIE_VARS[username]'", $db);

$result = mysql_query("SELECT downloads FROM $db_files WHERE file_name =
'$HTTP_GET_VARS[file]' AND cat = '$HTTP_GET_VARS[cat]'", $db);
$myrow = mysql_fetch_assoc($result);
$downloads = $myrow[downloads];
$downloads++;
$result = mysql_query("UPDATE $db_files SET downloads = '$downloads' WHERE
file_name = '$HTTP_GET_VARS[file]' AND cat = '$HTTP_GET_VARS[cat]'", $db);

//readfile(FilePath($HTTP_GET_VARS[cat], $HTTP_GET_VARS[sub],
$HTTP_GET_VARS[file]));
$fp=fopen($path,"rb");
fpassthru($fp);
}else {
echo "Sorry, you do not have access or enough credit for this download.";
}
?>

A few guesses. you require config.php in the bloated version - make sure
there is no whitespace before the <?php or after the ?> in config.php (e.g. spaces, newlines etc, as these will be sent as a part of the file, which you definitely do not want.) Two: your "Sorry, you do not have access or enough credit for this download" will likely never show up in the browser, but will rather be offered as binary data... not at all desirable (you have already
sent the headers at this point...)

A few guesses. you require config.php in the bloated version - make sure
there is no whitespace before the <?php or after the ?> in config.php (e.g. spaces, newlines etc, as these will be sent as a part of the file, which you definitely do not want.) Two: your "Sorry, you do not have access or enough credit for this download" will likely never show up in the browser, but will rather be offered as binary data... not at all desirable (you have already
sent the headers at this point...)

I wrote a file download module for my website. The reason for the file
download module is that my website downloads work on a credit based system. So I need to keep track of and limit daily downloads.

It uses fpassthru() and some headers() to send a file to the requesting
user. The get.php file that I wrote (the file download module if you will) works like a charm for .ZIP files and .TXT files. However, when .EXE files are downloaded they are always corrupt. The problem exists in both MSIE and Mozilla.

Someone suggested that I have too much code in my get.php file. I thought
this was strange but I tested it nonetheless. It turns out when I had my
get.php file with just the minimal code it worked fine for all file types:
.zip, .txt, .exe.

So I have two options:
1) Use a very very simple get.php with just the necessary header() and
fpassthru() code. This means I need another "buddy file" that will perform the credit checking, accessing the database etc. If I use this method I
need a way to secure the get.php so that not just not anyone can call the
get.php, but they have to go through the credit checking. This seems that
it would again end up making the get.php file bloated.

2) Maybe something is wrong with my "bloated" get.php and that is why
.EXE are being corrupted. It seems strange that .ZIP and .TXT would work
fine but .EXE are not. This would definitely be the easier of the two
options I believe, if it possible.

I have had people tell me that:

"You can't have excess code in a file download module"

"It doesnt matter how many code is in the file download module"

So who is correct I ask, and how can I remedy my problem?

Thanks,
Brandon
//THE MINIMAL GET.PHP THAT WORKS LIKE A CHARM FOR ALL FILETYPES:
<?
if (strlen($HTTP_GET_VARS[sub]) > 0)
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" . $HTTP_GET_VARS[sub] .. "/" . $HTTP_GET_VARS[file];
else
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" . $HTTP_GET_VARS[file];
header("Pragma: ");
header("Cache-Control: ");
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"$HTTP_GET_VARS[file]\"");
header("Content-Length: " . filesize($path));
header ("Connection: close");
//header("Content-Transfer-Encoding: binary\n");
$fp=fopen($path,"rb");
fpassthru($fp);
?>


//THE FILE "BLOATED" GET.PHP:

<?

if (strlen($HTTP_GET_VARS[sub]) > 0)
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" . $HTTP_GET_VARS[sub] .. "/" . $HTTP_GET_VARS[file];
else
$path = "../Archive/" . $HTTP_GET_VARS[cat] . "/" . $HTTP_GET_VARS[file];
header("Pragma: ");
header("Cache-Control: ");
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"$HTTP_GET_VARS[file]\"");
header("Content-Length: " . filesize($path));
header ("Connection: close");
//header("Content-Transfer-Encoding: binary\n");

require("config.php");

$result = mysql_query("SELECT credit FROM $db_users WHERE username =
'$HTTP_COOKIE_VARS[username]' AND password = '$HTTP_COOKIE_VARS[password]'", $db);
$myrow = mysql_fetch_assoc($result);
$credit = $myrow[credit];

if ($credit > 0) {
$credit--;
$result = mysql_query("UPDATE $db_users SET credit = '$credit' WHERE
username = '$HTTP_COOKIE_VARS[username]'", $db);

$result = mysql_query("SELECT downloads FROM $db_files WHERE file_name =
'$HTTP_GET_VARS[file]' AND cat = '$HTTP_GET_VARS[cat]'", $db);
$myrow = mysql_fetch_assoc($result);
$downloads = $myrow[downloads];
$downloads++;
$result = mysql_query("UPDATE $db_files SET downloads = '$downloads' WHERE file_name = '$HTTP_GET_VARS[file]' AND cat = '$HTTP_GET_VARS[cat]'", $db);

//readfile(FilePath($HTTP_GET_VARS[cat], $HTTP_GET_VARS[sub],
$HTTP_GET_VARS[file]));
$fp=fopen($path,"rb");
fpassthru($fp);
}else {
echo "Sorry, you do not have access or enough credit for this download."; }
?>