advanced code snippet search

Posted By

luman on 07/03/06


Tagged

file download


Versions (?)

Who likes this?

176 people have marked this snippet as a favorite

alvaroisorna
mate
jano
sendoa
damarev
vaaaska
demods
clapfouine
frankyfish
Phoenix
jbo
bitcrumb
fael
vali29
sbbath
benrasmusen
ganu
celoria
sp1r1t
ds
Steffen82
JimiJay
DFCNT
Morgano
cristianciofu
SpinZ
wbowers
Nils
hellion
adamsimms
zeljkoprsa
ibomb
Arzakon
srpsco
mrjthethird
tonic
panatlantica
blackabee
JustinCrossman
boguzz
aristoworks
vilebender
shan
hans
ahjo
irishsk
joaosalless
iconsis
ascarion
philiph
baqc
fruehjahr
LostCore
Nix
silverskymedia
nerdsane
sarfraznawaz2005
PapTom
tewoos
owais
hamiltonmascioli
ikimozu
spittingangels
nb109
Hollow
marcustrapp
exentrich
muoto
marnold2000
GrillPhil
rene-design
brandonio21
isocele
Gr33d
DASKAjA
Blacksnipe
sultano
mattnews
palimadra
kellyrmartin
gutierrezgcf
digitaldrew
ren
ksantoshp
konpao
bigredjoe
nefd
quoctien82
webtronix
franverona
eivind
jrobinsonc
4rp70x1n
tapdrup
leecsargent
alexteg
limenet
galofre
kaartz
yves
tschloss
htl
IvoTrompert
laurentzziu
osirisinternet
lanqy
jetm
ahmedalttai
wireplay
pchengsf
bmayzure
francesL
miceno
koteus
mogwi
widgetyegg
seanpowell
bobbym245
jrgodoi
boetech
MrFjords
nbehier
dext
geoffreydv
bindaskhan2004hotmailcom
lifewishes
sherlack
martins
iBlackbirdi
claudiowebdesign
stamba
spaceploitator
greguarr
tspitzr
aegony
garthhumphreys
Mralvarez
Desoxena
she4www
michellebracken
summer_charlie
intothelight
mdjamal
qubestream
deadlyhappy
lfcortes
Gordy
robertstefan
dajocko
merritt212
Ideandro
vaxxis
nerdfiles
shalomfriss
skywalker
ubezpieczenia
dixon
sbcjr
pelted
mohamadfikri
bionsuba
tomenjr
mmcachran
kijtra
gearedtech
surekin
HomoLogicus
White
webod92
lcrt
clac
clacwebstudio
chk040399
erikgeerling
ajcarrillo
3polars


Download file

 / Published in: PHP
 
Expand | Embed | Plain Text 
  1. <?php
  2.  
  3. $filename = $_GET['filename'];
  4.  
  5. // Modify this line to indicate the location of the files you want people to be able to download
  6. // This path must not contain a trailing slash.  ie.  /temp/files/download
  7. $download_path = "ficheros/";
  8.  
  9. // Make sure we can't download files above the current directory location.
  10. if(eregi("\.\.", $filename)) die("I'm sorry, you may not download that file.");
  11. $file = str_replace("..", "", $filename);
  12.  
  13. // Make sure we can't download .ht control files.
  14. if(eregi("\.ht.+", $filename)) die("I'm sorry, you may not download that file.");
  15.  
  16. // Combine the download path and the filename to create the full path to the file.
  17. $file = "$download_path$file";
  18.  
  19. // Test to ensure that the file exists.
  20. if(!file_exists($file)) die("I'm sorry, the file doesn't seem to exist.");
  21.  
  22. // Extract the type of file which will be sent to the browser as a header
  23. $type = filetype($file);
  24.  
  25. // Get a date and timestamp
  26. $today = date("F j, Y, g:i a");
  27. $time = time();
  28.  
  29. // Send file headers
  30. header("Content-type: $type");
  31. header("Content-Disposition: attachment;filename=$filename");
  32. header("Content-Transfer-Encoding: binary");
  33. header('Pragma: no-cache');
  34. header('Expires: 0');
  35. // Send the file contents.
  36. set_time_limit(0);
  37. readfile($file);
  38.  
  39. ?>

Report this snippet  

Comments

RSS Icon Subscribe to comments
Posted By: koncept on April 22, 2008

Hey there. Just noticed that the script is killed on line 10 if '..' is detected in the filename string. As such, line #11's overhead is redundant — the condition will not be met.

Posted By: NotIan on July 16, 2008

Since ereg is being phased out for PHP6 you should use preg_match, and you should be checking it on a per path chunk basis, ie:

$targetArray = explode('/',$filename); foreach($targetArray as $key => $value){ if(preg_match('/^(..|.ht).*/',$value){ die('File Path Invalid'); } }

What if i have a file in: ficheros/images/picture.htc.jpg or ficheros/filename..doc?

Also if you are not subdirectorying you could just use basename($filename) and be done with it

Posted By: NotIan on July 16, 2008

Since ereg is being phased out for PHP6 you should use preg_match, and you should be checking it on a per path chunk basis, ie:

$targetArray = explode('/',$filename); foreach($targetArray as $key => $value){ if(preg_match('/^(..|.ht).*/',$value){ die('File Path Invalid'); } }

What if i have a file in: ficheros/images/picture.htc.jpg or ficheros/filename..doc?

Also if you are not subdirectorying you could just use basename($filename) and be done with it

Posted By: smartlogo on August 19, 2008

lastly i fine it thanks

Posted By: zoranmk on October 27, 2010

Why, don't you check the CodeIgniter download helper it has logic if we are dealing with Internet Explorer or other browser and it's probably more tested than this code. The function name is force_download

Posted By: finalwebsites on April 28, 2011

Nice snippet but you should replace the function "eregi()"

from the PHP manual: This function has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.

You need to login to post a comment.