Page 1 of 1

PHP and the upload/download of files

Posted: Mon Apr 24, 2006 11:47 pm
by Starcraftmazter
I have a number of questions.

But first, the scene. A website where users can upload any type of file, which will be avaliable for download for anyone (aka filehost).

Now, hypothetically if a hacker uploaded a nasty .php file and knew where it was located (fat chance, but anyway), he could code it to do all sorts of things, for example upload more rubbish into the same folder (since it will be 777).

I have made the actual website so that it's impossible to include any of it's .php files and get anything out of it, so I'm not concerned about that.

What I would like to ask though, is it possible with a download script, to fetch a file from the server, but somehow rename it on the fly (not on the server) so that the user downloads the properly named file?

eg. User uploads file called 'something.php', it gets renamed to GYJ84UFop0ujFfhjTHE4ruYUK09[9PuuitUYr765r and put in a folder HTr7rfytuJ8UY9ouIGyurfU65RFJY09p9IIK on the server, now when the user requests this file via the website, can this file be fetched, renamed to it's original form - 'something.php' so the user downloads the file with that name instead of some random one?

Is this possible, and if so, how?

Thanks for your help.
Cheers.

Posted: Tue Apr 25, 2006 12:37 am
by feyd
the header() function can name the file being downloaded. Whether the browser accepts the name is a different story, but most often they do.

Posted: Tue Apr 25, 2006 1:28 am
by Starcraftmazter
feyd wrote:the header() function can name the file being downloaded. Whether the browser accepts the name is a different story, but most often they do.
Right, and what's the header command I'm looking for?

Posted: Tue Apr 25, 2006 1:49 am
by feyd
The last example on the header() page shows it.

Posted: Tue Apr 25, 2006 2:50 am
by Starcraftmazter
Yep, that seems to do the job nicely, thanks!