Hello
I have a site that pulls information from a Database and one of the links I want to have the user download a file once they click on the link. I can't seem to pass the file name to the download php file.
the link for the files is <a href='download_file.php?fname=document_name.pdf'>
in the download_file.php file I have the following code, but it is not picking up the variable:
$fname = $_GET['fname'];
header('Content-disposition: attachment; filename={$fname}');
header('Content-type: application/pdf');
readfile('{$fname}');
Automatic File Download
Moderators: egami, macek, gesf
-
- php-forum Fan User
- Posts: 973
- Joined: Mon Oct 01, 2012 12:32 pm
so you want your site to send your visitor whatever file they urlencode into a GET variable? I really hope you see how dangerous an idea that is...
-
- php-forum Fan User
- Posts: 973
- Joined: Mon Oct 01, 2012 12:32 pm
http://yourhost/download_file.php?fname=../../.htaccess
http://yourhost/download_file.php?fname ... d_file.php
http://yourhost/download_file.php?fname ... tabase.php
etc. you may not have things in those locations, but hopefully you get the point.
***edit***
Just think of what an intelligent person could gain access to if they were able to see the server side php of one page on your site. they could get a peek at your directory structures based on your includes, probably some credentials by examining those includes, and maybe even your whole database.
http://yourhost/download_file.php?fname ... d_file.php
http://yourhost/download_file.php?fname ... tabase.php
etc. you may not have things in those locations, but hopefully you get the point.
***edit***
Just think of what an intelligent person could gain access to if they were able to see the server side php of one page on your site. they could get a peek at your directory structures based on your includes, probably some credentials by examining those includes, and maybe even your whole database.