Force Download Help!!!

ecreative

Below is a simple PHP force download script, but is there anyway to limit what it can download, such as only ".mov" or ".jpg" files as its a security issue because this version means you can download any file. I dont want people having access to files such as .php

<?php
header('Content-type: application/force-download');
$file=$_GET["file"];
if(file_exists($file)){
header('Content-Disposition: attachment; filename="'.$file.'"');
readfile($file);
}
?>

jazz_snob

You could check that $file doesnt end in .php w/ regex. I prefer putting downloadables in a directory all their own, then check if $file is in that directory, only download files from that directory, and also regex to make sure $file isn't '.' or '..' and check if file_exists( "downloads/$file") for example.

BTW, using PHP to force downloads only works for relatively small files. I just did a project where I handed the actual download over to apache using header( Location: location/of/file/to/download.zip" ); I

You can keep people from accesing the download directory or its contents via .htaccess. Anyway, that provided "satisfactory" level of security for my project.