ansaurus

Question

Answer 1

+3 A:

Im gonna bite ...

The PHP script ensures the file is not accessible from the outside, and only on a per-request basis with possible authentication. When you see:

download.php?file=sdjasdk.exe

The download script looks a bit like:

<?php
    if( $_SESSION['auth'] == TRUE){
        $file = fileopen($whatever);
        echo "mimetype crap"
        //spit out file
    }else{
        echo "not authorized bozo"
    }
?>

DOne.

Aiden Bell 2009-05-26 15:55:12

you would probably send the "mimetype crap" in the response header with header() rather than echo

Tom Haigh 2009-05-26 15:56:53

Just an example ... read as "code your own"

Aiden Bell 2009-05-26 16:01:21

Answer 2

+2 A:

I think he is on about simple $_GET requests >.<

<?php

$file = $_GET['file'];

if (file_exists($file)) {
   header('Content-Type: application/octet-stream');
   echo file_get_contents($file);
}

?>

Ofcourse this is a very basic example with no security at all. Its not reccomended for you to use this in production without upping security on it.

Ozzy 2009-05-26 15:59:28

Use readfile() instead of file_get_contents() - it's much more efficient in this sort of situation.

ceejayoz 2009-05-26 16:01:43

To further explain what ozzy means when he points out that their are security issues with this script, consider what would happen when $_GET['file'] = '/etc/passwd' or '../../../../../../etc/passwd', etc. For these reasons, you probably want to do something like $file = '/my/downloads/dir/' . basename($_GET['file']);

Frank Farmer 2009-05-26 17:44:27

ansaurus

tags:

views:

answers:

The whole index.php?=<filename>.exe

related questions