Page 1 of 1

force download sound file

Posted: Sun May 18, 2008 3:03 am
by yshaf13
hi, i need to be able to let the user download a sound file instead of having it stream in the browser. after snooping around a few forums i found the best way would be to set content-disposition headers...
so i wrote this little page:

Code: Select all

 
<?php
extract($_GET);
$fullpath="http://.../uploads/$filename.$format";
header("Content-disposition: attachment; filename=$filename.$format");
header("Content-type: audio/$format");
header("Content-Length: " . filesize($fullpath)); 
readfile($fullpath);
?>
problem is, it only downloads 2-300kb and then just stops. also the download dialog (ie and firefox) doesn't get the filesize... what am i doing wrong? is it because the server is timing out?

Re: force download sound file

Posted: Sun May 18, 2008 10:36 pm
by Mordred
Your code is extremely unsecure besides being wrong.
1. (wrong) filesize() and readfile() want a local file name, not a URL. Technically, only filesize() does, but in reality you should just fix $fullpath
2. (unsecure) Uploaded files, especially if served by a proxy script like the current one, should reside above the web root, in a folder that is unaccessible from HTTP. If you don't have one, use .htaccess to disable HTTP requests to that folder.
3. (unsecure) Your script allows an attacker to manipulate $filename and $format and download any file on the system that the PHP/Apache user has access to. That is, it would have been possible if the script weren't buggy :)