PHP and the upload/download of files

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Starcraftmazter
Forum Commoner
Posts: 45
Joined: Mon Apr 24, 2006 11:36 pm

PHP and the upload/download of files

Post by Starcraftmazter »

I have a number of questions.

But first, the scene. A website where users can upload any type of file, which will be avaliable for download for anyone (aka filehost).

Now, hypothetically if a hacker uploaded a nasty .php file and knew where it was located (fat chance, but anyway), he could code it to do all sorts of things, for example upload more rubbish into the same folder (since it will be 777).

I have made the actual website so that it's impossible to include any of it's .php files and get anything out of it, so I'm not concerned about that.

What I would like to ask though, is it possible with a download script, to fetch a file from the server, but somehow rename it on the fly (not on the server) so that the user downloads the properly named file?

eg. User uploads file called 'something.php', it gets renamed to GYJ84UFop0ujFfhjTHE4ruYUK09[9PuuitUYr765r and put in a folder HTr7rfytuJ8UY9ouIGyurfU65RFJY09p9IIK on the server, now when the user requests this file via the website, can this file be fetched, renamed to it's original form - 'something.php' so the user downloads the file with that name instead of some random one?

Is this possible, and if so, how?

Thanks for your help.
Cheers.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the header() function can name the file being downloaded. Whether the browser accepts the name is a different story, but most often they do.
Starcraftmazter
Forum Commoner
Posts: 45
Joined: Mon Apr 24, 2006 11:36 pm

Post by Starcraftmazter »

feyd wrote:the header() function can name the file being downloaded. Whether the browser accepts the name is a different story, but most often they do.
Right, and what's the header command I'm looking for?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The last example on the header() page shows it.
Starcraftmazter
Forum Commoner
Posts: 45
Joined: Mon Apr 24, 2006 11:36 pm

Post by Starcraftmazter »

Yep, that seems to do the job nicely, thanks!
Post Reply