Automatic File Download

by **chellert** » Mon Feb 04, 2013 5:07 pm

Hello

I have a site that pulls information from a Database and one of the links I want to have the user download a file once they click on the link. I can't seem to pass the file name to the download php file.

the link for the files is <a href='download_file.php?fname=document_name.pdf'>

in the download_file.php file I have the following code, but it is not picking up the variable:

$fname = $_GET['fname'];

header('Content-disposition: attachment; filename={$fname}');
header('Content-type: application/pdf');
readfile('{$fname}');

by **seandisanti** » Thu Feb 07, 2013 1:09 pm

so you want your site to send your visitor whatever file they urlencode into a GET variable? I really hope you see how dangerous an idea that is...

by **chellert** » Tue Feb 12, 2013 5:39 am

explain why this is dangerous

by **seandisanti** » Wed Feb 13, 2013 12:47 pm

http://yourhost/download_file.php?fname=../../.htaccess

http://yourhost/download_file.php?fname ... d_file.php

http://yourhost/download_file.php?fname ... tabase.php

etc. you may not have things in those locations, but hopefully you get the point.

***edit***

Just think of what an intelligent person could gain access to if they were able to see the server side php of one page on your site. they could get a peek at your directory structures based on your includes, probably some credentials by examining those includes, and maybe even your whole database.

Automatic File Download

Automatic File Download

Re: Automatic File Download

Re: Automatic File Download

Re: Automatic File Download

Who is online