tags:

views:

211

answers:

5
+2  Q: 

Download PHP script instead of executing it

I have a downloads directory on a website where I store a bunch of different files for people to download (zip, exe, java, php, etc). The problem is that my website is written in PHP, so the web server, Apache, tries to execute the scripts instead of letting people download them. Without having access to Apache config (I'm on shared hosting), what is the easiest way to prevent Apache from executing scripts in a single directory?

I tried using mod_mime unsuccessfully. AddType doesn't work because (I'm guessing) a MIME type is already associated with PHP scripts. ForceType doesn't work because I store different types of files in the directory. Are there any other options?

+4  A: 

You could write a separate PHP script which sends the right Content-type header and then uses readfile() to pass through the contents of the PHP file without PHP actually executing them (and since Apache already passed off the request to PHP, it no longer cares). Just make sure you restrict it to only serving things out of that directory.

Amber  2009-12-25 20:19:44
Most portable solution.
LiraNuna  2009-12-25 20:58:11
+11  A: 

If you have sufficient permissions for that, putting the following line in a .htaccess file in the directory in which you don't want PHP script to be executed might do the trick :

php_flag engine off

(Just tested on my webserver, and I got the source of a PHP script -- which had not been executed)

Pascal MARTIN  2009-12-25 20:22:24
+1 for this - assuming you have the permissions for it (which you probably do), this would likely be the ideal solution.
Amber  2009-12-25 20:24:49
+1 - this answer is clearly superior.
gahooa  2009-12-25 20:26:27
By far the easiest way to do what I need, but I may not end up using this method. Since I have some HTML in my script, browsers try render whatever they can and the result looks bad. Are there any magical means of forcing the server to also display my scripts as plain text?
MiseryIndex  2009-12-25 20:38:28
Check out http://serverfault.com/questions/82505/how-can-i-set-apache-to-serve-files-as-text
Ciarán Walsh  2009-12-25 20:54:49
@Ciarán: ForceType won't do any good because I have different types of files in a directory.
MiseryIndex  2009-12-25 21:01:09
@self: Actually, you can use the AddType directive after turning of the PHP engine. Add `AddType text/plain .php` to the following line, and everything works like a charm!
MiseryIndex  2009-12-25 21:02:57
+1  A: 

I think I have the solution for you. Check this out:

http://www.boutell.com/newfaq/creating/forcedownload.html

Basically, it says that you should have the following code in your php page:

<?php
header('Content-disposition: attachment; filename=whatever.php');
header('Content-type: text/html');
readfile('whatever.php');
?>

I made a sample here:

http://sotkra.com/test.php

This forces the 'download' file prompt where the file download is the whatever.php

Cheers

Sotkra  2009-12-25 20:24:52
+1  A: 

You should have a download gateway script, such as download.php. It should take a query string argument which lists the file that needs downloaded.

That argument should be matched against a pre-existing ARRAY of accessible files (big security point there).

Then use:

<?php
$file = trim(isset($_GET['file']) ? $_GET['file'] : '');

$allow = array(
    'foo.php' => 'text/plain',
    'foo.jpg' => 'image/jpeg',
);    

if(! isset($allow[$file]))
   die('File not found.');

header('Content-Type: ' . $allow[$file]);
readfile($file);
gahooa  2009-12-25 20:25:01
+3  A: 

I think the common solution to this is to give files the extension phps.

Pekka  2009-12-25 20:53:39
Creative, but no, I want `php` ;-)
MiseryIndex  2009-12-25 21:16:14

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases