Automatic File Download

General discussions related to php

Moderators: egami, macek, gesf

Post Reply
chellert
New php-forum User
New php-forum User
Posts: 10
Joined: Tue Apr 20, 2010 8:54 am

Mon Feb 04, 2013 5:07 pm

Hello

I have a site that pulls information from a Database and one of the links I want to have the user download a file once they click on the link. I can't seem to pass the file name to the download php file.

the link for the files is <a href='download_file.php?fname=document_name.pdf'>

in the download_file.php file I have the following code, but it is not picking up the variable:

$fname = $_GET['fname'];

header('Content-disposition: attachment; filename={$fname}');
header('Content-type: application/pdf');
readfile('{$fname}');
Top
seandisanti
php-forum Fan User
php-forum Fan User
Posts: 973
Joined: Mon Oct 01, 2012 12:32 pm

Thu Feb 07, 2013 1:09 pm

so you want your site to send your visitor whatever file they urlencode into a GET variable? I really hope you see how dangerous an idea that is...
Top
chellert
New php-forum User
New php-forum User
Posts: 10
Joined: Tue Apr 20, 2010 8:54 am

Tue Feb 12, 2013 5:39 am

explain why this is dangerous
Top
seandisanti
php-forum Fan User
php-forum Fan User
Posts: 973
Joined: Mon Oct 01, 2012 12:32 pm

Wed Feb 13, 2013 12:47 pm

http://yourhost/download_file.php?fname=../../.htaccess

http://yourhost/download_file.php?fname ... d_file.php

http://yourhost/download_file.php?fname ... tabase.php

etc. you may not have things in those locations, but hopefully you get the point.

***edit***

Just think of what an intelligent person could gain access to if they were able to see the server side php of one page on your site. they could get a peek at your directory structures based on your includes, probably some credentials by examining those includes, and maybe even your whole database.
Top
Post Reply

Return to “PHP General”

  • Information

  • Who is online

    Users browsing this forum: No registered users and 1 guest