Page 1 of 1

downloading pdf files directly from server

Posted: Thu Sep 15, 2011 7:27 pm
by thechinmaster
Hi

I am relatively new to coding, and have been trying to read up on this for several days now and have had no luck.

What i want to do is add a section to my website where users can download files that i have stored in folders unique to each user.

I do not want to add the ability for users to upload files.

The files need to be held securely, and will be in either pdf or jpg format.

Can anyone suggest a secure and easy way to do this?

Please dont tell me to RTFM as I have tried, and can only find info relating to storing these files as BLOB - which is not what I am after (if possible)

Thanks in advance!

Re: downloading pdf files directly from server

Posted: Thu Sep 15, 2011 9:33 pm
by xtiano77
The link below gives you a brief explanation of what is needed to download files from the server as far as headers is concerned. The rest would be up to you to figure out which file is actually being downloaded. Hope this helps.

http://www.ryboe.com/tutorials/php-head ... e-download

Re: downloading pdf files directly from server

Posted: Fri Sep 16, 2011 2:30 am
by thechinmaster
Thanks very much for your swift reply.
The above isnt really what I am after though (i should have explained more thoroughly!)

My website is designed so that only customers who have signed a contract are able to access files on the site. I have created tables in mysql hosted on my server which contain all user information. I want my customers to be able to access copies of their contracts, photographs etc. that are specific to there user information.

The site does not allow users the ability to upload files, just to download them. What I would like to do is create individual folders (independent of mysql) for me to upload each customer's unique files in. Then when a customer has logged in to the site, I would like for them to be able to access these files individually in their original format.

As I said, I am pretty new to this so it may be really simple to do, and I am just missing the point....

Thanks

Re: downloading pdf files directly from server

Posted: Fri Sep 16, 2011 11:53 pm
by xtiano77
I am sure there must be a better way, but off the top of my head I would create a folder above the public "html" directory and inside that folder create sub-folders for the users, each with a different name than the "username".

Example:

Code: Select all

# This path should be above the public "www" or "html" directory.
# In my host the name is "public_html", so this folder should be above that one
$path = "/home/username/users/randomUserName/";
# You should validate this input from the user
$fileName = $_GET["user_file"];
# Send the headers to the browser
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Disposition: attachment; filename=" . $fileName);
header("Content-Type: application/zip");
header("Content-Transfer-Encoding: binary");
readfile($path . $fileName);
Hope this helps.

Re: downloading pdf files directly from server

Posted: Sat Sep 17, 2011 9:05 pm
by thechinmaster
excellent - so simple. But couldnt figure it out, thank you!

Re: downloading pdf files directly from server

Posted: Sat Sep 17, 2011 9:20 pm
by Christopher

Code: Select all

$fileName = $_GET["user_file"];
This is very dangerous. It allows someone to download any file on your system (e.g., '../../../../etc/passwd'). You should validate and filter to make sure the file name does not contain any directory information.

Re: downloading pdf files directly from server

Posted: Sun Sep 18, 2011 3:35 am
by thechinmaster
1. thanks for the warning. How would I incorporate that into the code pasted above please? (newbie question alert).

2. Also, what I had considered was putting a hyperlink to a user specific file actually inside a table on mysql. Although this does achieve the result I want, I am assuming that that would also be pretty insecure?

cheers