advanced code snippet search

We Recommend

Wicked Cool PHP: Real-World Scripts That Solve Difficult Problems Wicked Cool PHP: Real-World Scripts That Solve Difficult Problems
Wicked Cool PHP contains a wide variety of scripts to process credit cards, check the validity of email addresses, template HTML, and serve dynamic images and text.

Posted By

luman on 07/03/06


Tagged

file download


Versions (?)


Who likes this?

42 people have marked this snippet as a favorite

alvaroisorna
mate
jano
sendoa
damarev
vaaaska
demods
clapfouine
frankyfish
Phoenix
jbo
bitcrumb
fael
vali29
sbbath
benrasmusen
ganu
celoria
sp1r1t
ds
Steffen82
JimiJay
DFCNT
Morgano
cristianciofu
SpinZ
wbowers
Nils
hellion
adamsimms
zeljkoprsa
ibomb
Arzakon
srpsco
mrjthethird
tonic
panatlantica
blackabee
JustinCrossman
boguzz
aristoworks
vilebender


Download file

Published in: PHP 

Plain TextExpand 
  1. <?php
  2.  
  3. $filename = $_GET['filename'];
  4.  
  5. // Modify this line to indicate the location of the files you want people to be able to download
  6. // This path must not contain a trailing slash.  ie.  /temp/files/download
  7. $download_path = "ficheros/";
  8.  
  9. // Make sure we can't download files above the current directory location.
  10. if(eregi("\.\.", $filename)) die("I'm sorry, you may not download that file.");
  11. $file = str_replace("..", "", $filename);
  12.  
  13. // Make sure we can't download .ht control files.
  14. if(eregi("\.ht.+", $filename)) die("I'm sorry, you may not download that file.");
  15.  
  16. // Combine the download path and the filename to create the full path to the file.
  17. $file = "$download_path$file";
  18.  
  19. // Test to ensure that the file exists.
  20. if(!file_exists($file)) die("I'm sorry, the file doesn't seem to exist.");
  21.  
  22. // Extract the type of file which will be sent to the browser as a header
  23. $type = filetype($file);
  24.  
  25. // Get a date and timestamp
  26. $today = date("F j, Y, g:i a");
  27. $time = time();
  28.  
  29. // Send file headers
  30. header("Content-type: $type");
  31. header("Content-Disposition: attachment;filename=$filename");
  32. header("Content-Transfer-Encoding: binary");
  33. header('Pragma: no-cache');
  34. header('Expires: 0');
  35. // Send the file contents.
  36. set_time_limit(0);
  37. readfile($file);
  38.  
  39. ?>

Report this snippet 

Comments

RSS Icon Subscribe to comments
Posted By: koncept on April 22, 2008

Hey there. Just noticed that the script is killed on line 10 if '..' is detected in the filename string. As such, line #11's overhead is redundant — the condition will not be met.

Posted By: NotIan on July 16, 2008

Since ereg is being phased out for PHP6 you should use preg_match, and you should be checking it on a per path chunk basis, ie:

$targetArray = explode('/',$filename); foreach($targetArray as $key => $value){ if(preg_match('/^(..|.ht).*/',$value){ die('File Path Invalid'); } }

What if i have a file in: ficheros/images/picture.htc.jpg or ficheros/filename..doc?

Also if you are not subdirectorying you could just use basename($filename) and be done with it

Posted By: NotIan on July 16, 2008

Since ereg is being phased out for PHP6 you should use preg_match, and you should be checking it on a per path chunk basis, ie:

$targetArray = explode('/',$filename); foreach($targetArray as $key => $value){ if(preg_match('/^(..|.ht).*/',$value){ die('File Path Invalid'); } }

What if i have a file in: ficheros/images/picture.htc.jpg or ficheros/filename..doc?

Also if you are not subdirectorying you could just use basename($filename) and be done with it

Posted By: smartlogo on August 19, 2008

lastly i fine it thanks

You need to login to post a comment.