Automatically Save Files

[chellert]

I have a site that pulls information from a Database and one of the links I want to have the user download a file once they click on the link. I can't seem to pass the file name to the download php file.

the link for the files is <a href='download_file.php?fname=document_name.pdf'>

in the download_file.php file I have the following code, but it is not picking up the variable:

$fname = $_GET['fname'];

header('Content-disposition: attachment; filename={$fname}');
header('Content-type: application/pdf');
readfile('{$fname}');

[Fou-Lu]

Nether the readfile nor the content-disposition will parse correctly. Single quoted strings are literal string's in PHP and all content within them are treated as literal strings.

PHP Code:

if (isset($_GET['fname']))
{
    header('Content-type: application/pdf');
    header('Content-disposition: attachment; filename="' . $_GET['fname'] . '"');
    readfile($_GET['fname']);
} 


Now, this is *extremely* insecure. Nothing stops the user from reading any file off of the machine that this user account has access to. So you'll want to replace any characters that are illegal within the filename, in particular, the / character. Then what you can do is you can resolve the path, take the dirname off of it, and compare it to where you want to serve from. This process can be kludged together:

PHP Code:

$sRequestedPath = realpath($_GET['fname']);
if (dirname($sRequestedPath) == '/path/to/allowed/location')
{
    // now you can process.
} 


[chellert]

Thank you so much for that it worked