File downloading in php

Question

Presently I am working on a company's website on which if job seeker posts their CV, it will be visible in the admin panel with a download option.

Now I need help in that download part. In admin section i am displaying information about the newly registered job seeker, along with a button which should allow administrator to download the job seeker's CV. I need at least one working example for doing this at least, if I got a good discussion about file downloading I will be very greatful.

I worked on website having file download option in asp.net in C# but no idea how to achieve it in html PHP.

http://stackoverflow.com/questions/1628260/downloading-a-file-with-a-different-name-with-php?rq=1 http://stackoverflow.com/questions/2624039/php-file-downloading-questions?rq=1 — Robbo, Nov 08 '12 at 06:09

score 1 · Accepted Answer · edited May 23 '17 at 11:43

1

See you said already you had a download link. Just link to the file.

<a href="download.php?file=user-cv.pdf">Download</a>

And in the download.php, give Content-disposition: attachment; this way:

<?php
    # Sanitize the code to avoid injection
    $file = "uploads/" . stripslashes(str_replace(array("..", "/"), "", $_GET["file"]));
    header('Content-Disposition: attachment; filename="' . $file . '"');
    header('Content-type: application/pdf');
    readfile($file);
    die();
?>

Warning:

As Corbin said, there is a huge security hole, if people tried to access the file directly. It would be better to store it in the DB as file name, file type, so that it can be accessed this way:

<a href="download.php?user=praveenscience">Download</a>

And in the PHP code, get the result from the MySQL server and download it this way:

<?php
    $file = mysql_result(/* Query Here */);
    header('Content-Disposition: attachment; filename="' . $file["filename"] . '"');
    header('Content-type: ' . $file["mimetype"]);
    readfile($file["filename"]);
    die();
?>

edited May 23 '17 at 11:43

Community

1
1

answered Nov 08 '12 at 06:08

Praveen Kumar Purushothaman

164,888
24
203
252

1

Note to anyone in the future who may copy/paste this code: This is a huge security hole. `?file=/etc/passwd` for example or `?file=/path/to/super/secret/file`. (Part of me thinks that this answer deserves a down vote without at least a warning of the massive security hole, but...) – Corbin Nov 08 '12 at 06:14
@Corbin Thanks for notifying. I have added the sanitization part. – Praveen Kumar Purushothaman Nov 08 '12 at 06:17
1

`stripslashes` only removes \, not `/`. Since dots would be removed, most of the risk would be mitigated, but anything at the drive root would be accessible. (Also, the file key shouldn't be assumed to exist in $_GET, but now I'm just being pedantic :p) – Corbin Nov 08 '12 at 06:19
@Corbin Added the best method as far as I know. Need your comments now. – Praveen Kumar Purushothaman Nov 08 '12 at 06:22
1

I just realized there's another flaw in the str_replace too. You should check what it transforms `..../test/` into (`../test`). Just replace `.` and `/` with an empty string. – Corbin Nov 08 '12 at 06:24

score 0 · Answer 2 · answered Nov 08 '12 at 06:10

0

give the complete path of resume along with file name in server as hyper link to your download button

like this:

<a href="<?php echo 'path of file/filename';?>"><img src="download.png"></a>

answered Nov 08 '12 at 06:10

Sivagopal Manpragada

1,554
13
33

File downloading in php

2 Answers2

Warning: