• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 308
  • Last Modified:

What is the safest way when coding script for downloading files from server ?

Hey guys.
im simply doing an attachments system okay ? , i want to give the user the ability to download the files.

so what is the most safe and secure script for downloading files from my server.

with the ability to gave the downloading application the size, type of the file and stuff ;)

Thanks in advance.
0
hamidelgendy
Asked:
hamidelgendy
2 Solutions
 
rationalbossCommented:
If you are using a database, use file ID instead of actual path. It would also be better if you check permissions before downloading. Answer questions like these:
-should the logged in user be able to download this file?
-does the file exist in the server?

Don't use:
download.php?filename=helloworld.doc

Instead, use:
download.php?fileid=1 (a primary key from a database)

(Again, be careful with this that you check if the user should be really allowed to login because if there is no restriction, anyone can crawl your files by incrementing the file IDs)

If you wish, you may also use a key to download the file so that only the users who were given a link should be allowed to download.
download.php?fileid=1&key=12143ajjfgjsfg

If your key is unique, then you can already drop fileid :)

Then, to send the file to the user:

header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); // required for certain browsers 
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"$title.pdf\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($file));
@readfile($file);

Open in new window

0
 
Ray PaseurCommented:
... most safe and secure ...

Lots of moving parts to this design pattern!  If you want client authentication, this article teaches a simple way to do that.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

If you want separate permissions sets for different clients, you will need a data-base backed web site.  This book teaches how to build one.
http://www.sitepoint.com/books/phpmysql4/

If you want to force a download to occur, rather than have a browser plug-in open the file (think PDF) this script will help you do that.  You can test it on my server here:
www.laprbass.com/RAY_force_download.php

Of course at the simplest level, you can just give the client the URLs, perhaps conveniently wrapped in the <a href> tag, and let the client do what she wants with the files.

HTH, ~Ray
<?php // RAY_force_download.php
error_reporting(E_ALL);

// REQUIRED FOR USE WITH THE PHP date() FUNCTIONS
date_default_timezone_set('America/New_York');



// A FILE TO DOWNLOAD - THIS LINK COULD COME IN THE URL VIA $_GET, OR COULD BE GENERATED INSIDE THE SCRIPT
$url = "http://www.LAPRBass.com/piechart.png";

// USE CASE
force_download($url);




// FUNCTION TO FORCE A DOWNLOAD FROM A FILE
function force_download($filename)
{
    // GET THE CONTENTS OF THE FILE
    $filedata = file_get_contents($filename);

    if ($filedata)
    {
        // GET A NAME FOR THE FILE
        $basename = basename($filename);

        // THESE HEADERS ARE USED ON ALL BROWSERS
        header("Content-Type: application-x/force-download");
        header("Content-Disposition: attachment; filename=$basename");
        header("Content-length: ".(string)(strlen($filedata)));
        header("Expires: ".gmdate("D, d M Y H:i:s", mktime(date("H")+2, date("i"), date("s"), date("m"), date("d"), date("Y")))." GMT");
        header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");

        // THIS HEADER MUST BE OMITTED FOR IE 6+
        if (FALSE === strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE '))
        {
            header("Cache-Control: no-cache, must-revalidate");
        }

        // THIS IS THE LAST HEADER
        header("Pragma: no-cache");

        // FLUSH THE HEADERS TO THE BROWSER
        flush();

        // CAPTURE THE FILE IN THE OUTPUT BUFFERS - WILL BE FLUSHED AT SCRIPT END
        ob_start();
        echo $filedata;
    }

    // ERROR
    else
    {
        die("ERROR: UNABLE TO OPEN $filename");
    }
}

Open in new window

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now