download page querystring
- Thread starter gaptrast
- Start date
- Messages
- 19,181
- Reaction score
- 28
- Points
- 48
Hello,
I wrote this real quick, untested, but give it a shot it's a step in the correct direction.
I wrote this real quick, untested, but give it a shot it's a step in the correct direction.
PHP:
<?php
// brandon long
// brandon@x10hosting.com
// example: ?id=filename
// get the query string
if (!$_GET['id'])
// die off, could be an error page tooo
die("Need to specifiy a file.");
// set the diretory to were the files are located
$dirOfFiles = ''; // for this example, we will say it's /home/brandon/downloads
// Set the below variable to the ext.
$fileEndExt = '.exe';
// below it will set the full path
$pathToFile = $dirOfFiles . $_GET['id'] . $fileEndExt;
// lets open the file
if ($fileOpenType = fopen($pathToFile, 'r')) {
//get the file size
$fileSizeInfo = filesize($pathToFile);
// setup some variables to exit
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"". $_GET['id'] . $fileEndExt ."\"");
header("Content-length: $fileSizeInfo");
// this outputs the file via the script
while(!feof($fileOpenType)) {
echo fread($fd, 2048);
}
fclose($fileOpenType);
} else {
// file ain't there yo, die off
die('No file named ' . $_GET['id'] . $fileEndExt . ' exists on the server.');
}
?>
Last edited:
Make sure you're not violating the Terms of Service by using your site for file storage.
Better close that security hole with the likes of realpath and a path prefix check.
Lastly, make sure you use the rewrite engine to hide the download script, since it isn't part of the identity of the resource.
Better close that security hole with the likes of realpath and a path prefix check.
PHP:
...
$pathToFile = realpath($dirOfFiles . $_GET['id'] . $fileEndExt);
if (substr_compare($pathToFile, $dirOfFiles, 0, strlen($dirOfFiles)) != 0) {
// attack; file isn't in file storage hierarchy. Return a 404 response
header('HTTP/1.0 404 Not Found');
include('errordoc/404.php'); // or wherever your custom 404 page is
} else {
// file is in download folder; safe to send
...
}Lastly, make sure you use the rewrite engine to hide the download script, since it isn't part of the identity of the resource.
gaptrast
Member
- Messages
- 123
- Reaction score
- 0
- Points
- 16
Well, it did not work.
I put the script in to this file: example.com/download.php and download folder to:http://example.com/files/
I tried to download a file called kamp.exe stored in the files folder. example.com/download.php?kamp
but the die message just showed up! die("Need to specifiy a file.");
I put the script in to this file: example.com/download.php and download folder to:http://example.com/files/
I tried to download a file called kamp.exe stored in the files folder. example.com/download.php?kamp
but the die message just showed up! die("Need to specifiy a file.");
Last edited:
gaptrast
Member
- Messages
- 123
- Reaction score
- 0
- Points
- 16
ERRORS::
Warning: filesize() [function.filesize]: stat failed for http://www.thefakevirus.com/pranks/avoid.exe in /home/gaptrast/public_html/download.php on line 27
Warning: Cannot modify header information - headers already sent by (output started at /home/gaptrast/public_html/download.php:27) in /home/gaptrast/public_html/download.php on line 30
Warning: Cannot modify header information - headers already sent by (output started at /home/gaptrast/public_html/download.php:27) in /home/gaptrast/public_html/download.php on line 31
Warning: Cannot modify header information - headers already sent by (output started at /home/gaptrast/public_html/download.php:27) in /home/gaptrast/public_html/download.php on line 32
one million of theese::
Warning: fread(): supplied argument is not a valid stream resource in /home/gaptrast/public_html/download.php on line 36
Warning: filesize() [function.filesize]: stat failed for http://www.thefakevirus.com/pranks/avoid.exe in /home/gaptrast/public_html/download.php on line 27
Warning: Cannot modify header information - headers already sent by (output started at /home/gaptrast/public_html/download.php:27) in /home/gaptrast/public_html/download.php on line 30
Warning: Cannot modify header information - headers already sent by (output started at /home/gaptrast/public_html/download.php:27) in /home/gaptrast/public_html/download.php on line 31
Warning: Cannot modify header information - headers already sent by (output started at /home/gaptrast/public_html/download.php:27) in /home/gaptrast/public_html/download.php on line 32
one million of theese::
Warning: fread(): supplied argument is not a valid stream resource in /home/gaptrast/public_html/download.php on line 36
Last edited:
If something doesn't work the way you think, look into how it works. Filesystem functions (including the stat family) don't work with files retrieved via HTTP (or, indeed, many wrappers). Wrappers have to be based on the capabilities of the underlying transport mechanism. HTTP is a fairly simple protocol and doesn't support many filesystem concepts, such as permissions, ownership, ACLs, creation time and access time (user agents & proxies keep track of his). In any case, you shouldn't access local files via the network. It's an unnecessary waste of resources.
What is the purpose of the download script? What functionality are you missing by linking to the files directly?
What is the purpose of the download script? What functionality are you missing by linking to the files directly?
Last edited:
gaptrast
Member
- Messages
- 123
- Reaction score
- 0
- Points
- 16
It worked when I did only write files/ instead of http://example.com/files/
But I do not want the download to start immidiately, but have a download page saying Download will start shortly. I can put advertisments there...
like this Example from sourceforge.net
But I do not want the download to start immidiately, but have a download page saying Download will start shortly. I can put advertisments there...
like this Example from sourceforge.net
In that case, you don't need a script to read & output the file, you just need to redirect to the file. You can load the file in an iframe to download it, or use JS (or both, with the iframe in a <noscript> tag in case JS is disabled or unsupported). You should avoid a meta refresh, as it's been deprecated for various reasons.