PHP Secure Download Script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
plato
Forum Newbie
Posts: 1
Joined: Mon Aug 19, 2002 11:56 am

PHP Secure Download Script

Post by plato »

I am amidst a project in which I require a php download script that will allow clients to download ONLY the files to which they have access. The files to which they have access are determined by data in a MySQL database (that's not my problem). I have everything working except the actual sending of the file.

I need to keep the files in a NON-web-enabled directory (duh, otherwise the users could just go straight to the URL). I can get php to read the file in and send it to the user. The only problem I have is that it kind of messes up Internet Explorer after it downloads the file. Also, the user cannot use the "Open" button presented by IE. But if the user saves the file, he/she can open the file just fine. I believe this behavior is because IE is not passing the filename off correctly to the program that is going to open the file. I am convinced that it is the headers that the PHP script is sending to the client. This download.php file is executed from a POST method form with a $FID variable (like 2034, or 103043), and a $submit (duh...).

I will try to attach some of the download.php script for your use. Any suggestions are welcome.

--------------------------------------------------------------------

<?
# Inlude necessary header file(s)...
require ("sessioncheck.php");
require ("./conf/config.php");

# This script searches the database for the FID the user has requested #
# and returns the file associated with that FID to the user for download. #
# It then incriments the number of downloads of that particular file by #
# 1 and writes it back to the database. #

# Connect and select the proper database.
$db = mysql_connect("$dbserver:$dbport", $dbadmin, $dbpasswd);
mysql_select_db("$dbname", $db);

# Make the query and store it in $result.
$result = mysql_query("select * from files where FID=$FID;", $db);

# If it found a file, then...
if (mysql_num_rows($result) > 0)
{
# Store the first row (this is the file's record) into $row.
$row = mysql_fetch_array($result);

# Retrieve and store the size of the file into $fsize.
$fsize = filesize("{$row["path"]}/$FID");

# Retrieve and store the mime/type of the file into $mimetype.
$mimetype = $row["mimetype"];

# Send the browser the appropriate headers to let it know we're sending it a file.
header("Content-type: $mimetype");
header("Content-Length: $fsize");
header("Content-Disposition: attachment\; size={$fsize}\; filename={$row["filename"]}");

# Now update the number of downloads to the file.
$downloads = $row["downloads"];
$downloads = $downloads + 1;
mysql_query("update files set downloads=$downloads where FID=$FID;");

# If you can, then write the file out to the client.
readfile("{$row["path"]}/$FID");
}

# Else, it didn't find the file you were looking for (which is wierd),
# so return an error to the client.
else
{
# Put in html headers for browser complaince. ?>
<html><head></head>
<body>

<?
# Display the error.
display_error("File not found","the requested file was not found in the database.");

# Close the html document. ?>
</body></html>

<? } ?>
Post Reply