#native_company# #native_desc#


By abigail
on July 9, 2003

Version: 1.3

Type: Sample Code (HOWTO)

Category: File Management

License: GNU General Public License

Description: Forces a script to download attached file with attached filename!!

  * download.php
  * -- modified by Abbie
  * This PHP script sends a file in such a way that most web clients
  * will offer to download the file to the client computer. It uses
  * the Content-Disposition headeer extension to RFC2616
  * (see http://www.w3.org/Protocols/rfc2616/rfc2616.html)
  * to suggest the web client should download the file. This is
  * implemented on most (but not all) web clients. I have tested it
  * on Mozilla, Netscape 4.78 and 6.21, Internet Explorer 5.5, lynx,
  * Konqueror and Opera. It works fully on all.
  * Usage: download.php?filename=name_of_file.extension
  * Examples: to download the SPSS file data.sav from index.html
  * where download.php, index.html and data.sav are all in the 
  * same directory, put a link in index.html of the form
  * <a href="download.php?data.sav">Download SPSS data file</a>.
  * You can use paths in the filename, as in
  * <a href="download.php?../include/data.sav">Download data</a>.
  * You can specialise the code by putting a line of the form
  * $filename="data.sav";
  * immediately after this comment. This will allow you to send
  * exactly one file for download, viz data.sav.
  * Only one variable, $filename, is not defined by default. In
  * principle, you can send a the name of the file to download
  * through a POST request (e.g. on a form button). I haven't
  * tested this.
  * Restrictions: by default you can't download files with the
  * extensions html, phtml, htm, phtm, inc, php or php3. This is to
  * avoid potential security problems. For example, it is possible
  * to use a PHP file to hide sensitive data such as the password
  * to connect to an SQL server. If we allowed this script to offer
  * php scripts for download, then a client request of the form
  * http://../download.php?sensitive.php could show the raw php file.
  * Security issues: see the comments under Restrictions above. If
  * in doubt, define $filename immediately after this comment and
  * use a separate script for each downloadable file. I've tried
  * using header( "Location: ... " ) to retrieve the file. It doesn't
  * work on a solaris server, but does work on gnu/linux.
$shortname = basename( $filename );

if( file_exists( $filename )          // sanity check
    && !eregi( "p?html?", $filename ) // security check
    && !eregi( "inc", $filename )
    && !eregi( "php3?", $filename ) ){
  $size = filesize( $filename ); 
  header("Content-Type: application/save"); 
  header("Content-Disposition: attachment; filename=$shortname"); 
  $fh = readfile("$filename"); // I use this instead of fopen because when fopen is used, it only reads 1KB of data
} else {
<!DOCTYPE HTML PUBLIC "-//W3C//DTD 4.01 Transitional//EN"
<html lang="en">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Download Error</title>
 <style type="text/css">
   body {background-image:url(include/background.gif);
   a:hover {text-decoration:none; border-width:thin; border-style:dotted;
            background-color:#f2f2ff; color:#000000}
   a:focus {text-decoration:none; background-color:#dadae6; color:#000000}
   a:active {text-decoration:none; background-color:#ffffff; color:#000000}
<h1>File <?php print( $basename ) ?> not available</h1>
  Either the file you requested does not exist or you are not permitted to
  download it using this page.