Automatic File Download

chellert · Postby **chellert** » Mon Feb 04, 2013 5:07 pm

Hello

I have a site that pulls information from a Database and one of the links I want to have the user download a file once they click on the link. I can't seem to pass the file name to the download php file.

the link for the files is <a href='download_file.php?fname=document_name.pdf'>

in the download_file.php file I have the following code, but it is not picking up the variable:

$fname = $_GET['fname'];

header('Content-disposition: attachment; filename={$fname}');
header('Content-type: application/pdf');
readfile('{$fname}');

seandisanti · Postby **seandisanti** » Thu Feb 07, 2013 1:09 pm

so you want your site to send your visitor whatever file they urlencode into a GET variable? I really hope you see how dangerous an idea that is...

chellert · Postby **chellert** » Tue Feb 12, 2013 5:39 am

explain why this is dangerous

seandisanti · Postby **seandisanti** » Wed Feb 13, 2013 12:47 pm

http://yourhost/download_file.php?fname=../../.htaccess

http://yourhost/download_file.php?fname ... d_file.php

http://yourhost/download_file.php?fname ... tabase.php

etc. you may not have things in those locations, but hopefully you get the point.

***edit***

Just think of what an intelligent person could gain access to if they were able to see the server side php of one page on your site. they could get a peek at your directory structures based on your includes, probably some credentials by examining those includes, and maybe even your whole database.

PHP forum, your PHP coding community

Automatic File Download

Automatic File Download

Re: Automatic File Download

Re: Automatic File Download

Re: Automatic File Download

Who is online