Automatic File Download

General discussions related to php

Moderators: macek, egami, gesf

chellert
New php-forum User
New php-forum User
Posts: 10
Joined: Tue Apr 20, 2010 8:54 am

Automatic File Download

Postby chellert » Mon Feb 04, 2013 5:07 pm

Hello

I have a site that pulls information from a Database and one of the links I want to have the user download a file once they click on the link. I can't seem to pass the file name to the download php file.

the link for the files is <a href='download_file.php?fname=document_name.pdf'>

in the download_file.php file I have the following code, but it is not picking up the variable:

$fname = $_GET['fname'];

header('Content-disposition: attachment; filename={$fname}');
header('Content-type: application/pdf');
readfile('{$fname}');

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: Automatic File Download

Postby seandisanti » Thu Feb 07, 2013 1:09 pm

so you want your site to send your visitor whatever file they urlencode into a GET variable? I really hope you see how dangerous an idea that is...

chellert
New php-forum User
New php-forum User
Posts: 10
Joined: Tue Apr 20, 2010 8:54 am

Re: Automatic File Download

Postby chellert » Tue Feb 12, 2013 5:39 am

explain why this is dangerous

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: Automatic File Download

Postby seandisanti » Wed Feb 13, 2013 12:47 pm

http://yourhost/download_file.php?fname=../../.htaccess

http://yourhost/download_file.php?fname ... d_file.php

http://yourhost/download_file.php?fname ... tabase.php

etc. you may not have things in those locations, but hopefully you get the point.

***edit***

Just think of what an intelligent person could gain access to if they were able to see the server side php of one page on your site. they could get a peek at your directory structures based on your includes, probably some credentials by examining those includes, and maybe even your whole database.


Return to “PHP General”

Who is online

Users browsing this forum: No registered users and 0 guests