force download sound file

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
yshaf13
Forum Commoner
Posts: 72
Joined: Mon Apr 03, 2006 7:59 pm

force download sound file

Post by yshaf13 »

hi, i need to be able to let the user download a sound file instead of having it stream in the browser. after snooping around a few forums i found the best way would be to set content-disposition headers...
so i wrote this little page:

Code: Select all

 
<?php
extract($_GET);
$fullpath="http://.../uploads/$filename.$format";
header("Content-disposition: attachment; filename=$filename.$format");
header("Content-type: audio/$format");
header("Content-Length: " . filesize($fullpath)); 
readfile($fullpath);
?>
problem is, it only downloads 2-300kb and then just stops. also the download dialog (ie and firefox) doesn't get the filesize... what am i doing wrong? is it because the server is timing out?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: force download sound file

Post by Mordred »

Your code is extremely unsecure besides being wrong.
1. (wrong) filesize() and readfile() want a local file name, not a URL. Technically, only filesize() does, but in reality you should just fix $fullpath
2. (unsecure) Uploaded files, especially if served by a proxy script like the current one, should reside above the web root, in a folder that is unaccessible from HTTP. If you don't have one, use .htaccess to disable HTTP requests to that folder.
3. (unsecure) Your script allows an attacker to manipulate $filename and $format and download any file on the system that the PHP/Apache user has access to. That is, it would have been possible if the script weren't buggy :)
Post Reply