Comments on: How To Force File Download With PHP

By: swellendam accommodation

swellendam accommodation — Mon, 19 Sep 2011 16:37:36 +0000

swellendam accommodation…

[...]How To Force File Download With PHP | W-Shadow.com[...]…

By: WuFe

WuFe — Tue, 06 Sep 2011 17:12:23 +0000

Goosy, the cURL method to retrieve the file size doesn’t work ever.
The best function to retrieve the size of a remote file is this:

function remotefilesize( $url ){
$size = get_headers( $url, 1 );
$size = $size[ "Content-Length" ];
return $size;
}

Anyway thanks a lot for the snippet..

By: goosy

goosy — Tue, 23 Aug 2011 08:55:59 +0000

Thanks a lot !!! Just more things for force download on cross -domain
delte this line “if(!is_readable($file)) die(‘File not found or inaccessible!’);” and for the file size use curl method like above
// Create a curl connection
$chGetSize = curl_init();

// Set the url we’re requesting
curl_setopt($chGetSize, CURLOPT_URL, “http://www.example.com/file.exe”);

// Set a valid user agent
curl_setopt($chGetSize, CURLOPT_USERAGENT, “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11″);

// Don’t output any response directly to the browser
curl_setopt($chGetSize, CURLOPT_RETURNTRANSFER, true);

// Don’t return the header (we’ll use curl_getinfo();
curl_setopt($chGetSize, CURLOPT_HEADER, false);

// Don’t download the body content
curl_setopt($chGetSize, CURLOPT_NOBODY, true);

// Run the curl functions to process the request
$chGetSizeStore = curl_exec($chGetSize);
$chGetSizeError = curl_error($chGetSize);
$chGetSizeInfo = curl_getinfo($chGetSize);

// Close the connection
curl_close($chGetSize);// Print the file size in bytes

$size=$chGetSizeInfo['download_content_length'];

thx again !

By: nlayno

nlayno — Wed, 25 May 2011 07:41:04 +0000

how to use this script ?

foredownload.php?file=http://–.zip <- like that?

By: vhortex

vhortex — Sun, 24 Apr 2011 14:44:22 +0000

@pk1001100011

You don’t need to put full filters on this function, the filters should be added somewhere on your code to prevent bloating your functions.

Provided code is only an example on how to do things.

I read your website and this is different from the script that you reviewed.
safe_mode can only be turned on by system admins and not ordinary hosted users unless you have a VPS account or a dedicated account. This function is turned on 97% of the time on shared hosting.

open_basedir is enabled on secured servers and there is no way to activate it on shared hosting accounts. This will cause trouble on account creations due to the restrictions that needs to be applied per account/domain.

open_basedir rule on applies to 1 and 1 domain or subdomain causing errors on the next subdomains that will be created unless you add a new open_basedir for that subdomain.

By: Flor

Flor — Sat, 16 Apr 2011 20:40:23 +0000

amm i don’t know why but when the window to save the file opens the file is downloaded like this “-myFile.pdf-”, i mean the extension is changed for .pdf- so it downloads corrupted or imposible to open any idea why this happens???

By: JavaGenious

JavaGenious — Mon, 20 Dec 2010 10:57:44 +0000

Thanks for the info. Can you also provide an example of use for this method?

By: Shawn Deprey

Shawn Deprey — Fri, 03 Dec 2010 03:52:18 +0000

What a great script! Very easy to follow. I hate when script writers cannot realize that they need to make their code easy to follow if they want other people to comprehend it. I used your script here:

http://www.pixnorth.com/phplx/mycode.php

You can use the php tools to add to the “my code” section. Your script then makes it possible to export to a php script whatever is in that section. Thanks for the script!

By: Ozzie Bock

Ozzie Bock — Tue, 23 Nov 2010 06:16:09 +0000

Thank you for posting this article, it really helped when I needed to force download a connection program for our remote pc support business.

By: pk1001100011

pk1001100011 — Mon, 02 Aug 2010 15:29:29 +0000

This script sucks. There are three vulnerabilities in this script: Local File Inclusion, Remote File Inclusion and Directory Traversal. These vulnerabilities allow an attacker to e.g read /etc/passwd file or steal a cookie. First of all, you should filter user supplied data.
I wrote a blog post about this: http://pklog.jogger.pl/2010/07/20/pewien-hotel-i-local-file-inclusion-studium-przypadku/ . It’s not English – Polish. You can use Google Translate or only look at code.
Anyway, just read about LFI, RFI, DT and white lists.

Finally, I’m sorry for my English – it’s not my native language.