u know when i create a link to image it will be showes in browser or when i create a link to php file the result of it will be show.

<a href="tes.jpg">test</a>
<a href="tes.php">test</a>

but i don't want to show!
i want when a user click on link the file in href will be download. (image or php script will be download like as zip files).

what should i do? do i use of headers? how?

You can put a passthrough script:

$filename = $_GET['file'];
$filesize = filesize('./downloadfolder/' . $filename);
header('Pragma: public');
header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate'); // HTTP/1.1
header('Cache-Control: pre-check=0, post-check=0, max-age=0'); // HTTP/1.1
header('Content-Transfer-Encoding: none');
header('Content-Type: application/octetstream; name="' . $filename . '"'); //This should work for IE & Opera
header('Content-Type: application/octet-stream; name="' . $filename . '"'); //This should work for the rest
header('Content-Disposition: attachment; filename="' . $filename . '"');
header("Content-length: $size");
readfile('./downloadfolder/' . $filename);

Well, that works for me, I'm sure some of it's pretty useless, but it works, and thats all that matters

Lol, of course you need to do some checks, I was just showing how it could be done.

The script that I actually use takes the md5 of the filename, and redirects it to a file in a ./downloads/ folder.

The above was just an example.

You could just do str_replace(Array('..','/'),'',$filename);

That'd clear out the folder changing.

giving the right advice the first time should be the object.

would you expect someone not to just cut and paste.

Here is an example. I have been getting all these SPAM posts to my blog. Check out and example of the URLs that they list in the SPAM.

http://www.mississippi.gov/frameset.jsp?URL=http://a1zi2.com/xanax504.html xanax
http://www.cosis.net/members/frame.php?url=http://a1zi2.com/buyxanax138.html buy xanax
http://www.mississippi.gov/frameset.jsp?URL=http://a1zi2.com/onlinepharmacy651.html online pharmacy
http://www.cosis.net/members/frame.php?url=http://a1zi2.com/cialis30.html cialis
http://www.itascacc.edu/getpage.php?id=http://a1zi2.com/lortab994.html lortab
http://www.elbulli.com/main.php?url=http://a1zi2.com/buyphentermine736.html buy phentermine
http://www.itascacc.edu/getpage.php?id=http://a1zi2.com/buyphentermine612.html buy phentermine
http://www.nostarch.com/frameset.php?startat=http://a1zi2.com/canadianpharmacyonline14.html? canadian pharmacy online
http://www.itascacc.edu/getpage.php?id=http://a1zi2.com/canadianpharmacyonline180.html canadian pharmacy online
http://www.itascacc.edu/getpage.php?id=http://a1zi2.com/buylortab873.html buy lortab
http://www.cosis.net/members/frame.php?url=http://a1zi2.com/canadianpharmacyonline313.html canadian pharmacy online
http://www.insulate.org/frameset.php?thePage=http://a1zi2.com/onlinepharmacy650.html online pharmacy
http://www.state.ms.us/frameset.jsp?URL=http://a1zi2.com/cialis.html cialis

Now, personally, I would think that the admins of these big websites would have stopped to think about the potential exploit of the pages that they were putting on there website. But then again, they might have just cut/paste an example that someone gave on a website. Like the example you gave.

They came here asking for an answer. Not half and answer that then opens them up to a big exploit that they would not have realized.

Remember, people come here for advice, because they don't know how to do it right.

IMHO... No one should ever cut and paste code that they don't understand from any message board. Not only are you opening yourself up to potentially more problems but there are usually more than one way to solve a problem. Anything posted on message boards should be used as a starting point and not used as-is in any production environment.

Best,
Cent