PHP script stopped working; can you help?

software development

#1

The following script is sitting in the root directory of my Website on Dreamhost’s server. When I first posted the script, it worked just fine, popping up a file dialog to allow the user to save MP3 files rather than automatically play them in the browser:

[color=#0000CD]<?php
// Define the path to file
$file = $_GET[‘f’];

if(file_exists($file))
{
// File doesn’t exist, output error
die($file);
}
else
{
// Set headers
header(“Cache-Control: public”);
header(“Content-Description: File Transfer”);
header(“Content-Disposition: attachment; filename=$file”);
header(“Content-Type: audio/mpeg”);
header(“Content-Transfer-Encoding: binary”);

 // Read the file from disk
 readfile($file);

}
?>[/color]

The PHP script is being called from within the HTML with the following tag (this code is in the index.html file):
[color=#0000CD]
[/color]

What results is a browser page showing “http://www.djpetesavas.com/download.php?f=player/pause_again.mp3” in the address bar, and displaying only the text “player/pause_again.mp3” against a white background.

As I stated, when I first posted this script to my Website, it all worked perfectly. Then, about a month ago, the script started exhibiting the behavior it does currently.

If you’d like to try this yourself, go to www.djpetesavas.com and click on the download button (a blue circle with a down arrow in it) under the “Podcast” section on the main page.

Thanks in advance for all your help.

Sincerely,
pete


#2

If all you need the script to do is set headers, don’t use PHP! Apache’s mod_headers module is more than sufficient for what you’re doing, and avoids entirely the overhead of using PHP.

mod_xsendfile (see elsewhere on the forum for details…) can also be used for download tracking/access-control scripts, but in this case even that is overkill.


#3

I don’t think it just stopped working :slight_smile: If you look at the line:

if(file_exists($file))

it will “die” with the filename as the errormessage, if the file exists. And continue, trying to serve the file, if the file does not exists. I don’t know mush about computing and stuff, but I have a feeling it should be the other way round:

if(!file_exists($file))


#4

That’s also probably a mistake, but my original point stands that this task doesn’t need PHP.


#5

OMFG!!!

Huge security hole!

what if i did this:
http://www.djpetesavas.com/download.php?f=index.php

I could then read your index.php file, and I am sure it has links to other important things such as your database username/password…

a bit more secure:
http://phpsnips.com/snippet.php?id=55

Edit:
@andrewf he also wants the file to be played as well, so apache wouldn’t be the best suggestion, as it will force download all the time.


#6

No, that’s not true at all. mod_headers can be used to send any desired Content-Type header, with or without an accompanying Content-Disposition header. (It can be used to force download, but it certainly doesn’t have to.)

Your point about the original script being a security risk is well taken, though. Yet another reason to not use it!


#7

Actually, guys, all I do want is for the files to download instead of being played in the browser as I have a streaming Flash player on the main page…

I’m not very experienced with Web programming (yet), and am just learning PHP, so if one of you could tell me how to implement the mod_headers module, I would appreciate it.

Thanks,
pete[hr]

That did the trick, THANKS!!!

pete


#8

Take a look at this page in the wiki: