PHPBuilder - Download-Forcer

RSS Twitter


by: abigail
July 9, 2003

Version: 1.3

Type: Sample Code (HOWTO)

Category: File Management

License: GNU General Public License

Description: Forces a script to download attached file with attached filename!!

  * download.php
  * -- modified by Abbie
  * This PHP script sends a file in such a way that most web clients
  * will offer to download the file to the client computer. It uses
  * the Content-Disposition headeer extension to RFC2616
  * (see
  * to suggest the web client should download the file. This is
  * implemented on most (but not all) web clients. I have tested it
  * on Mozilla, Netscape 4.78 and 6.21, Internet Explorer 5.5, lynx,
  * Konqueror and Opera. It works fully on all.
  * Usage: download.php?filename=name_of_file.extension
  * Examples: to download the SPSS file data.sav from index.html
  * where download.php, index.html and data.sav are all in the 
  * same directory, put a link in index.html of the form
  * <a href="download.php?data.sav">Download SPSS data file</a>.
  * You can use paths in the filename, as in
  * <a href="download.php?../include/data.sav">Download data</a>.
  * You can specialise the code by putting a line of the form
  * $filename="data.sav";
  * immediately after this comment. This will allow you to send
  * exactly one file for download, viz data.sav.
  * Only one variable, $filename, is not defined by default. In
  * principle, you can send a the name of the file to download
  * through a POST request (e.g. on a form button). I haven't
  * tested this.
  * Restrictions: by default you can't download files with the
  * extensions html, phtml, htm, phtm, inc, php or php3. This is to
  * avoid potential security problems. For example, it is possible
  * to use a PHP file to hide sensitive data such as the password
  * to connect to an SQL server. If we allowed this script to offer
  * php scripts for download, then a client request of the form
  * http://../download.php?sensitive.php could show the raw php file.
  * Security issues: see the comments under Restrictions above. If
  * in doubt, define $filename immediately after this comment and
  * use a separate script for each downloadable file. I've tried
  * using header( "Location: ... " ) to retrieve the file. It doesn't
  * work on a solaris server, but does work on gnu/linux.
$shortname = basename( $filename );

if( file_exists( $filename )          // sanity check
    && !eregi( "p?html?", $filename ) // security check
    && !eregi( "inc", $filename )
    && !eregi( "php3?", $filename ) ){
  $size = filesize( $filename ); 
  header("Content-Type: application/save"); 
  header("Content-Disposition: attachment; filename=$shortname"); 
  $fh = readfile("$filename"); // I use this instead of fopen because when fopen is used, it only reads 1KB of data
} else {
<!DOCTYPE HTML PUBLIC "-//W3C//DTD 4.01 Transitional//EN"
<html lang="en">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Download Error</title>
 <style type="text/css">
   body {background-image:url(include/background.gif);
   a:hover {text-decoration:none; border-width:thin; border-style:dotted;
            background-color:#f2f2ff; color:#000000}
   a:focus {text-decoration:none; background-color:#dadae6; color:#000000}
   a:active {text-decoration:none; background-color:#ffffff; color:#000000}
<h1>File <?php print( $basename ) ?> not available</h1>
  Either the file you requested does not exist or you are not permitted to
  download it using this page.

Comment and Contribute

Your comment has been submitted and is pending approval.




(Maximum characters: 1200). You have characters left.