Hi everyone!

I'm new to this site...and somewhat new to php coding. I recently downloaded a script that allows downloads while hiding its path. The script runs great. I have implemented this script with a login script. So, only logged, registered users can download files.

However, there is one problem. I would like pdf files to open in the browser, rather than download. When I click on the pdf links, it opens up the raw data...and not the actual pdf file.

Can someone please help me with this? I'd appreciate any advice. Thank you!

<?php
include("/home/user/path/to/script/controller.php"); 

if(!$session->logged_in){ 
        header("Location: ../login.php"); 
} else { 

}
?>

<?php

###############################################################
# File Download 1.31
###############################################################
# Visit http://www.zubrag.com/scripts/ for updates
###############################################################
# Sample call:
#    download.php?f=phptutorial.zip
#
# Sample call (browser will try to save with new file name):
#    download.php?f=phptutorial.zip&fc=php123tutorial.zip
###############################################################

// Allow direct file download (hotlinking)?
// Empty - allow hotlinking
// If set to nonempty value (Example: example.com) will only allow downloads when referrer contains this text
define('ALLOWED_REFERRER', '');

// Download folder, i.e. folder where you keep all files for download.
// MUST end with slash (i.e. "/" )
define('BASE_DIR','/home/user/downloads/');

// log downloads?  true/false
define('LOG_DOWNLOADS',true);

// log file name
define('LOG_FILE','downloads.log');

// Allowed extensions list in format 'extension' => 'mime type'
// If myme type is set to empty string then script will try to detect mime type 
// itself, which would only work if you have Mimetype or Fileinfo extensions
// installed on server.
$allowed_ext = array (

  // archives
  'zip' => 'application/zip',

  // documents
  'pdf' => 'application/pdf',
  'doc' => 'application/msword',
  'xls' => 'application/vnd.ms-excel',
  'ppt' => 'application/vnd.ms-powerpoint',

  // executables
  'exe' => 'application/octet-stream',

  // images
  'gif' => 'image/gif',
  'png' => 'image/png',
  'jpg' => 'image/jpeg',
  'jpeg' => 'image/jpeg',

  // audio
  'mp3' => 'audio/mpeg',
  'wav' => 'audio/x-wav',

  // video
  'mpeg' => 'video/mpeg',
  'mpg' => 'video/mpeg',
  'mpe' => 'video/mpeg',
  'mov' => 'video/quicktime',
  'avi' => 'video/x-msvideo'
);



####################################################################
###  DO NOT CHANGE BELOW
####################################################################

// If hotlinking not allowed then make hackers think there are some server problems
if (ALLOWED_REFERRER !== ''
&& (!isset($_SERVER['HTTP_REFERER']) || strpos(strtoupper($_SERVER['HTTP_REFERER']),strtoupper(ALLOWED_REFERRER)) === false)
) {
  die("Internal server error. Please contact system administrator.");
}

// Make sure program execution doesn't time out
// Set maximum script execution time in seconds (0 means no limit)
set_time_limit(0);

if (!isset($_GET['f']) || empty($_GET['f'])) {
  die("Please specify file name for download.");
}

// Nullbyte hack fix
if (strpos($_GET['f'], "\0") !== FALSE) die('');

// Get real file name.
// Remove any path info to avoid hacking by adding relative path, etc.
$fname = basename($_GET['f']);

// Check if the file exists
// Check in subfolders too
function find_file ($dirname, $fname, &$file_path) {

  $dir = opendir($dirname);

  while ($file = readdir($dir)) {
    if (empty($file_path) && $file != '.' && $file != '..') {
      if (is_dir($dirname.'/'.$file)) {
        find_file($dirname.'/'.$file, $fname, $file_path);
      }
      else {
        if (file_exists($dirname.'/'.$fname)) {
          $file_path = $dirname.'/'.$fname;
          return;
        }
      }
    }
  }

} // find_file

// get full file path (including subfolders)
$file_path = '';
find_file(BASE_DIR, $fname, $file_path);

if (!is_file($file_path)) {
  die("File does not exist. Make sure you specified correct file name."); 
}

// file size in bytes
$fsize = filesize($file_path); 

// file extension
$fext = strtolower(substr(strrchr($fname,"."),1));

// check if allowed extension
if (!array_key_exists($fext, $allowed_ext)) {
  die("Not allowed file type."); 
}

// get mime type
if ($allowed_ext[$fext] == '') {
  $mtype = '';
  // mime type is not set, get from server settings
  if (function_exists('mime_content_type')) {
    $mtype = mime_content_type($file_path);
  }
  else if (function_exists('finfo_file')) {
    $finfo = finfo_open(FILEINFO_MIME); // return mime type
    $mtype = finfo_file($finfo, $file_path);
    finfo_close($finfo);  

  }
  if ($mtype == '') {
    $mtype = "application/force-download";
  }
}
else {
  // get mime type defined by admin
  $mtype = $allowed_ext[$fext];
}

// Browser will try to save file with this filename, regardless original filename.
// You can override it if needed.

if (!isset($_GET['fc']) || empty($_GET['fc'])) {
  $asfname = $fname;
}
else {
  // remove some bad chars
  $asfname = str_replace(array('"',"'",'\\','/'), '', $_GET['fc']);
  if ($asfname === '') $asfname = 'NoName';
}

// set headers
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Type: $mtype");
header("Content-Disposition: attachment; filename=\"$asfname\"");
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . $fsize);

// download
// @readfile($file_path);
$file = @fopen($file_path,"rb");
if ($file) {
  while(!feof($file)) {
    print(fread($file, 1024*8));
    flush();
    if (connection_status()!=0) {
      @fclose($file);
      die();
    }
  }
  @fclose($file);
}

// log downloads
if (!LOG_DOWNLOADS) die();

$f = @fopen(LOG_FILE, 'a+');
if ($f) {
  @fputs($f, date("m.d.Y g:ia")."  ".$_SERVER['REMOTE_ADDR']."  ".$fname."\n");
  @fclose($f);
}

?>

    Change this:

    header("Content-Disposition: attachment; filename=\"$asfname\"");

    to this:

    header("Content-Disposition: inline; filename=\"$asfname\"");

    ... and see if that works for you. It should, but only IF the browser can handle PDF's natively (most can).

      dalecosp;11050633 wrote:

      Change this:

      header("Content-Disposition: attachment; filename=\"$asfname\"");

      to this:

      header("Content-Disposition: inline; filename=\"$asfname\"");

      ... and see if that works for you. It should, but only IF the browser can handle PDF's natively (most can).

      Thanks for your reply, dalecosp!

      I changed that line of code. Unfortunately, it still opens the raw data. I'm using Mozilla Firefox 40.0.3, if that helps. I also linked the .pdf file using <a href> tag...and not using the download script. It opens just fine in my browser.

      Thanks again for your help! I'm still searching if there's a php script that can accomplish what I need. Any other ideas would be greatly appreciated.

      Liv

        I wonder if the mimetype being generated is correct
        header("Content-Type: $mtype");

        I just hard set it with:
        header('Content-Type: application/pdf');

          I doubt the Content-Disposition: header is necessary; typically when a PDF document is served directly I find only the "Content-Type:" header is used to identify the type of document, e.g:

          Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 304051
Content-Type: application/pdf
Date: Thu, 10 Sep 2015 22:04:52 GMT
Etag: "55269409-4a3b3"
Last-Modified: Thu, 09 Apr 2015 15:00:25 GMT
Server: nginx/1.4.6 (Ubuntu)

          Have a look at the headers you get in the response when you...

          I also linked the .pdf file using <a href> tag...and not using the download script. It opens just fine in my browser.

          ... (since you have Firefox, you can use its developer tools to see them).

            Weedpacket;11050711 wrote:

            I doubt the Content-Disposition: header is necessary; typically when a PDF document is served directly I find only the "Content-Type:" header is used to identify the type of document, e.g:

            Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 304051
Content-Type: application/pdf
Date: Thu, 10 Sep 2015 22:04:52 GMT
Etag: "55269409-4a3b3"
Last-Modified: Thu, 09 Apr 2015 15:00:25 GMT
Server: nginx/1.4.6 (Ubuntu)

            Have a look at the headers you get in the response when you...

            ... (since you have Firefox, you can use its developer tools to see them).

            It probably isn't, but the behavior she wants is certainly not "attachment", so I was attempting to enlighten, at least a bit. :-)

            As Cretaceous indicates:

            header("Content-Type: $mtype");

            I'm sure we all noted that the script sets this to "force-download" if it can't resolve a MIME type for the file. I'd say he hit the nail on the head, but, yes, if possible a gander at the HTTP transaction should tell the OP what's wrong right away :-)

              Unrelated but still important:

              Make sure to add an exit statement when redirecting, otherwise the remaining code in the script will still execute, and this can cause you many headaches in the future.

              
if(!$session->logged_in){ 
    header("Location: ../login.php"); 
    exit;
} else { 

}
                Write a Reply...