Newgrounds.com — Everything, By Everyone.

PHP: Main

In this small tutorial, we are going to learn how to force a viewer to download a file when they click a link.

For example, if you want your viewers to be able to download the file image.jpg, you can use the code below, and the file image.jpg wont open in the browser.

To understand this tutorial you will need some basic knowledge of PHP and HTML.

So, on with the tutorial.

Make a new file called forceddownload.php and write the following script in it.

<?
// Tells the browser that where going to run a PHP script.
$file = $_GET['file'];
// Get a filename from the GET parameters.
header ("Content-type: octet/stream");
header ("Content-disposition: attachment; filename=".$file.";");
header("Content-Length: ".filesize($file));
// Sends the brower headers to tell it that it is sending that file back to it.
readfile($file);
// Reads the file from the server and send it to the browser.
exit;
?>
// Closes the PHP script.

Next, on the page you want to link the download from, we have the HTML that will link to the file.

<a href="forceddownload.php?file=image.jpg">D
ownload image.jpg</a>

Thats it.

You should now be able to click the link, and instead of the file opening, it will download.

Thanks to Cheeries for proof reading this tutorial =)

Brought to you by DannyIsOnFire.
www.dannyisonfire.com

oh... looks very nice.

Im just not sure how usefull the link is, appart from maybe a link to download a page or somthing.

At 8/13/06 12:22 PM, thecoshman wrote: oh... looks very nice.

Im just not sure how usefull the link is, appart from maybe a link to download a page or somthing.

It's very, very useful ;)
I'll give an example:
You have a log stored in a DB. you want to output it to a downloadable text file. You just send these headers and echo whatever is needed ;)

Yes my name is cheeries >:C

At 8/13/06 02:34 PM, -cherries- wrote: Yes my name is cheeries >:C

Bah, top set english and cant spell cherries :)
Im sure everyone knew what i meant, regardless of what i said.

Now to add security. Would be kinda bad if somebody downloaded your passwords right?

I like this tutorial a lot. It can be VERY useful

At 8/13/06 05:28 PM, henke37 wrote: Now to add security. Would be kinda bad if somebody downloaded your passwords right?

Once again, tutorials are for learning purposes. You're not really supposed to use them for real, but rather use the concept.

All though I do agree a simple check to make sure the file being sent to the script is on your server would help :)

Great tutorials, I will use for downloading all types of files, even .php.

I don't need to ZIP anymore - this great!

Do note that php scripts stops runing after X secs, to prevent infinite loops. There is a function that tells php that it should allow long executions.

At 8/21/06 05:38 AM, henke37 wrote: Do note that php scripts stops runing after X secs, to prevent infinite loops. There is a function that tells php that it should allow long executions.

I always wondered, so now I'm gonna ask:
why is this related?

Well that function is called set_time_limit()

Cool, I've been wondering just what header to send to do this.

Although do yourself a favor, don't copy and paste this script without sanitizing it. I could download you config.php files, or whatever else I want that's on your server, including password files for the linux server depending on permissions.

At 8/25/06 04:07 PM, Sir-Davey wrote: Cool, I've been wondering just what header to send to do this.

Although do yourself a favor, don't copy and paste this script without sanitizing it. I could download you config.php files, or whatever else I want that's on your server, including password files for the linux server depending on permissions.

I think you can only download the files that are in the same folder as foceddownload.php
So if you put only the files you want to be downloadable, you should have a problem.

should you ?

At 8/25/06 04:26 PM, DannyIsOnFire wrote: I think you can only download the files that are in the same folder as foceddownload.php
So if you put only the files you want to be downloadable, you should have a problem.

should you ?

What's stopping me from putting ../config.php as the file name?

Just make a list of files that are allowed to be downloadable, or escape /'s

if(substr(dirname(realpath($file)), 0, strlen($basepath))==$basepath) {
allowdownload():
}

Excellent script. I can definitely forsee using it.

few things.

1) can this be used to force download of php files, befor they are passed by the server, if so

2) can you use this to force the downlaod of a php page on another server, if so

3) this is a HUGE sercurity flaw! I could get your php scripts and know you SQL username and password anf shit, thus do WTF I want to your data!!!

Im scared!

well, that is a relief

The only thing you should ever use from that script are the headers :P

If you try to download php the browser will generate a html page echoing the output of the php (if any).

At 11/11/06 01:10 PM, different wrote: If you try to download php the browser will generate a html page echoing the output of the php (if any).

Not if you're using force-download it won't.