real quick php forced download question

[krs1ars]

Hey all, just a quick question for something with my site. I'm looking to have a download prompt pop up for mp3 files on a button release. I am under the impression that php is the only way to do this, but since I'm terrible with php, I'm stuck.

Here's the flash button script.

ActionScript Code:

on (release) {
lvOut = new LoadVars();
lvOut.file = "/" + _root.path + ".mp3";
lvOut.sendAndLoad("/dl.php", lvOut, "GET");

}

Where _root.path is something like "Artist - Title" in plane text, but it is the same as the file name.


And here's the php.

PHP Code:

header("HTTP/1.0 204 No Content");
$basedir = "http://www.mysite.com/workingfolder/";
header("Content-Type: octet/stream");
header("Content-Disposition: attachment; filename=\"".$_GET['file']."\"");
$fp = fopen($basedir.$_GET['file'], "r");
$data = fread($fp, filesize($basedir.$_GET['file']));
fclose($fp);
print $data; 


Any help would be greatly appreciated.

Kevin

[krs1ars]

Hey,

I'm trying to put a button in my swf that gives the user the standard download prompt, especially for files that would normally be opened in the browser (.mp3 files) etc.

I'm pretty clueless about how to do this even in general, in html.

I'd imagine it'd take some sort of php or javascript wizardry that I know notihng about. Again, any help appreciated.

Kevin

[Dark_Element]

Quote:

crispiness at fastmail dot fm
12-Jan-2005 02:09
If the below post didn't make this clear... be VERY VERY CAREFUL with download scripts! I had a vulnerability for years in my download counting script; namely, the user could download ANY file on the server. Including the PHP files that contained my database password!

The same potential vulnerability applies to any script that displays or downloads files from your server. Caveat scriptor (let the programmer beware; and no, that's not proper Latin)!
aarondunlap.com
29-Dec-2004 08:17
I just made a function to allow a file to force-download (for a script to disallow file links from untrusted sites -- preventing mp3/video leeching on forums), and I realized that a script like that could potentially be very dangerous.

Someone could possibly exploit the script to download sensitive files from your server, like your index.php or passwords.txt -- so I made this switch statement to both allow for many file types for a download script, and to prevent certain types from being accessed.

<?php

function dl_file($file){

//First, see if the file exists
if (!is_file($file)) { die("<b>404 File not found!</b>"); }

//Gather relevent info about file
$len = filesize($file);
$filename = basename($file);
$file_extension = strtolower(substr(strrchr($filename,"."),1));

//This will set the Content-Type to the appropriate setting for the file
switch( $file_extension ) {
case "pdf": $ctype="application/pdf"; break;
case "exe": $ctype="application/octet-stream"; break;
case "zip": $ctype="application/zip"; break;
case "doc": $ctype="application/msword"; break;
case "xls": $ctype="application/vnd.ms-excel"; break;
case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
case "gif": $ctype="image/gif"; break;
case "png": $ctype="image/png"; break;
case "jpeg":
case "jpg": $ctype="image/jpg"; break;
case "mp3": $ctype="audio/mpeg"; break;
case "wav": $ctype="audio/x-wav"; break;
case "mpeg":
case "mpg":
case "mpe": $ctype="video/mpeg"; break;
case "mov": $ctype="video/quicktime"; break;
case "avi": $ctype="video/x-msvideo"; break;

//The following are for extensions that shouldn't be downloaded (sensitive stuff, like php files)
case "php":
case "htm":
case "html":
case "txt": die("<b>Cannot be used for ". $file_extension ." files!</b>"); break;

default: $ctype="application/force-download";
}

//Begin writing headers
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");

//Use the switch-generated Content-Type
header("Content-Type: $ctype");

//Force the download
$header="Content-Disposition: attachment; filename=".$filename.";";
header($header );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".$len);
@readfile($file);
exit;
}

?>

This works in both IE and Firefox.

That code is from PHP.net http://www.php.net/header

should work lol

[krs1ars]

Many thanks. One problem though. I guess there's some issue with how php adresses a file and sends it throug the header.
Here's what happens.

Say for a file artist - title.mp3
the script will download the entire file, but it will be labeled "artist" without the rest of the file name or the entension. I figure I can probably fix this just by using underscores, but is there any way I can keep the spaces?

[CyanBlue]

Maybe you should really avoid using the file name with the space because that might just give you more trouble with some hosts and whatnots... It's easier to add the underscore to rid the headaches... Just a thought...

[Dark_Element]

try %20 ? donno if it will work lol... though in URL its fine