Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Mar 2012
    Location
    Ontario, Canada
    Posts
    54
    Thanks
    9
    Thanked 0 Times in 0 Posts

    Automatically Save Files

    I have a site that pulls information from a Database and one of the links I want to have the user download a file once they click on the link. I can't seem to pass the file name to the download php file.

    the link for the files is <a href='download_file.php?fname=document_name.pdf'>

    in the download_file.php file I have the following code, but it is not picking up the variable:

    $fname = $_GET['fname'];

    header('Content-disposition: attachment; filename={$fname}');
    header('Content-type: application/pdf');
    readfile('{$fname}');

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Nether the readfile nor the content-disposition will parse correctly. Single quoted strings are literal string's in PHP and all content within them are treated as literal strings.
    PHP Code:
    if (isset($_GET['fname']))
    {
        
    header('Content-type: application/pdf');
        
    header('Content-disposition: attachment; filename="' $_GET['fname'] . '"');
        
    readfile($_GET['fname']);

    Now, this is *extremely* insecure. Nothing stops the user from reading any file off of the machine that this user account has access to. So you'll want to replace any characters that are illegal within the filename, in particular, the / character. Then what you can do is you can resolve the path, take the dirname off of it, and compare it to where you want to serve from. This process can be kludged together:
    PHP Code:
    $sRequestedPath realpath($_GET['fname']);
    if (
    dirname($sRequestedPath) == '/path/to/allowed/location')
    {
        
    // now you can process.

    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • Users who have thanked Fou-Lu for this post:

    chellert (02-05-2013)

  • #3
    New Coder
    Join Date
    Mar 2012
    Location
    Ontario, Canada
    Posts
    54
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Thank you so much for that it worked


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •