Force Download Help

ecreative

Below is a simple PHP force download script, but is there anyway to limit what it can download, such as only ".mov" or ".jpg" files as its a security issue because this version means you can download any file

<?php
header('Content-type: application/force-download');
$file=$_GET["file"];
if(file_exists($file)){
header('Content-Disposition: attachment; filename="'.$file.'"');
readfile($file);
}
?>

crazyjeremy

Did you look through the page at http://us3.php.net/function.readfile ??? I found this stuff via google search of "site:php.net force download" without quotes. Some of the listed scripts in the comments can be modified to do what you want.

bradgrafelman

Well, the first thing I would do is strip out any '/' or '\' character so they can't access other directories. To do this, instead of directory storing the value of the $_GET array into $file, store the result of a [man]str_replace/man like so:

$file = str_replace( array('\\', '/'), NULL, $_GET['file'] );

Next, you can achieve what you're talking about doing by using a simple REGEXP syntax:

if(!preg_match('/\.(mov|jpg)$/i', $file))
     die('ERROR: The extension on the file you requested is not allowed!');