file uploads works, now how to download

cornercuttinjoe

sorry to be posting again so soon, but i knew this question would come up, just didnt know it would today.

i recently pretty much completed a good section of an Order Manager site, and part of this site lets users upload files for certain orders. The users should able to then be able to view the orders and download these same files or others that have been uploaded when they go back to view/edit their orders.

my question is, i have got the uploading working. in the database, i save where each order goes, all of its relevant information, and to which order it belongs.

now my question is, how do i let these get downloaded? the orders arent stored above the doc root, so they cannot be directly accessed through the browser, so i thought about just creating a link to each individual file on the edit/view order page, and then it will just download from where the file is stored. but i dont like this idea because i dont want anyone who is not supposed to see a file to guess the existence/location of one.

so do you create a temporary directory to store files that can be uploaded? what is the norm in this situation? how do i keep user a from accessing stuff that only user b is supposed to see (as far as just typing stuff in the url box to see if it comes up).

any help or ideas would be great.

_RL_Ian

cornercuttinjoe wrote:
sorry to be posting again so soon, but i knew this question would come up, just didnt know it would today.

i recently pretty much completed a good section of an Order Manager site, and part of this site lets users upload files for certain orders. The users should able to then be able to view the orders and download these same files or others that have been uploaded when they go back to view/edit their orders.

my question is, i have got the uploading working. in the database, i save where each order goes, all of its relevant information, and to which order it belongs.

now my question is, how do i let these get downloaded? the orders arent stored above the doc root, so they cannot be directly accessed through the browser, so i thought about just creating a link to each individual file on the edit/view order page, and then it will just download from where the file is stored. but i dont like this idea because i dont want anyone who is not supposed to see a file to guess the existence/location of one.

so do you create a temporary directory to store files that can be uploaded? what is the norm in this situation? how do i keep user a from accessing stuff that only user b is supposed to see (as far as just typing stuff in the url box to see if it comes up).

any help or ideas would be great.

In order to accomplish this task, you must redirect the user to a page that contains headers. You can research more about headers on php.net if you are interested, but here is the quick and dirty. Take a look at the code I am pasting below. This code must be run BEFORE any output to the browser (ie: html) takes place:

<?php
header("Content-Type: application/msword"); //you have to find the appropriate MIME Type for the file you are downloading
header("Pragma: public");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-Transfer-Encoding: Binary");
header("Content-Length: " . filesize("/path/to/file.doc")); //In this example I used a .DOC file
header('Content-Description: File Transfer'); 
header("Content-Disposition: attachment; filename=YourFileName.doc"); //The user who downloads the file gets it as "YourFileName.doc" (can be whatever you want)
readfile("/path/to/file.doc"); //Absolute path to file
?>

You can find a list of MIME Types here: http://www.webmaster-toolkit.com/mime-types.shtml

cornercuttinjoe

ok, i kind of see. so if, in my case, an order has 4 files that go along with it that a user can download, and the user clicks on one of the links to one of the files, i should send them to a generic download page and just pass the information needed to get the file (all i would need is the order number and the file number) through session variables perhaps? this would just provide the generic code to handle all uploads.

i dont really like the idea of redirecting them though. could i do this all within the same page, and if they clicked the link, just refresh the page, but set a flag that specifies an upload needs to take place? is my thinking correct for that situation?

thanks a lot for the help.

_RL_Ian

cornercuttinjoe wrote:
ok, i kind of see. so if, in my case, an order has 4 files that go along with it that a user can download, and the user clicks on one of the links to one of the files, i should send them to a generic download page and just pass the information needed to get the file (all i would need is the order number and the file number) through session variables perhaps? this would just provide the generic code to handle all uploads.

i dont really like the idea of redirecting them though. could i do this all within the same page, and if they clicked the link, just refresh the page, but set a flag that specifies an upload needs to take place? is my thinking correct for that situation?

thanks a lot for the help.

You don't have to redirect them. That is perfectly ok. For instance, you could do something like this:

<?php
if ($_REQUEST['dl'] == true)
{
	header("Content-Type: application/msword"); //you have to find the appropriate MIME Type for the file you are downloading
	header("Pragma: public");
	header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
	header("Content-Transfer-Encoding: Binary");
	header("Content-Length: " . filesize("/path/to/file_" . $_REQUEST['file'] . ".doc")); //In this example I used a .DOC file
	header('Content-Description: File Transfer'); 
	header("Content-Disposition: attachment; filename=FileName_" . $_REQUEST['file'] . ".doc"); //The user who downloads the file gets it as "YourFileName.doc" (can be whatever you want)
	readfile("/path/to/file_" . $_REQUEST['file'] . ".doc"); //Absolute path to file
}

//Now start website
?>
<html>
<body>
	<a href="./thispage.php?dl=true&file=123456">Download File</a>
</body>
</html>

In this instance the file is passed as 123456 which then corrisponds to file_123456.doc in the system. You could pass it any number of variables then configure any type of files you want.

If you're feeling risky, you may even want to create a zip file on the fly with the appropriate files that the user is trying to download based on who it is trying to do the downloading. All sorts of neat things you can do.

Let me know if you get stuck!