0

I'm working on a php script where users can upload any type of file they want, even php files.

All files are uploaded/moved in a specific folder ("uploads").

I don't want these files to be readable otherwise it can cause a major security bug as users can write any php code and take control of my server.

I want these files only to be downloadable by the user client (browser). Like Dropbox for example.

Trondro Mulligan
  • 485
  • 3
  • 19
  • This might interest you: http://stackoverflow.com/questions/1968106/generate-download-file-link-in-php – mariobros Jan 12 '17 at 14:13
  • Store the files in a folder that is not web accessible, serve the files using the `Content-Disposition` header. – mister martin Jan 12 '17 at 14:14
  • Possible duplicate of [Open Download Dialog with PHP](http://stackoverflow.com/questions/985083/open-download-dialog-with-php) – giusti Jan 12 '17 at 16:39

1 Answers1

1

you can deny acces to uploads/move, then force a redirect from all URLS under uploaded/moved to a PHP script

RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^/uploads/move/(.*)$ /serve_file.php?filePath=$1 [L]

then send a force download header like so for example:

header("Content-Disposition: attachment; filename=\"" . basename($File) . "\"");
header("Content-Type: application/force-download");
header("Content-Length: " . filesize($filePath));
header("Connection: close");
readfile($filepath);
exit;

!!Make sure the $filePath is in uploads/move and not anywhere else or they could grab other files)!!

Thanks @Mark Baker for the optimisation, using readfile is a better way!

Victor Radu
  • 2,262
  • 1
  • 12
  • 18