All geek questions in one place

Php readfile - Download Force

I am using a flash player to play some mp3 files. In firefox, it loads them normally, but in IE it is not. When I go to the url of the .mp3 file, it shows the mp3 source code (instead of suggesting, for example, download). So I used a little script to fix this:

$url = $_GET['url']; header('Content-type: application/force-download'); header('Content-Transfer-Encoding: Binary'); header("Content-disposition: attachment; filename=demo.mp3"); readfile($url);

I would like to ask you if this is safe. Also, does the server spend this bandwidth this way? And finally, does this affect server resources? Thanks.

+4
source share
4 answers

No, this is not safe. If you had a password for the database in database.php and I entered database.php as $_GET['url'] , your script would send me this PHP file with your password in it.

Yes, it will use bandwidth and some server resources.

+9
source

This is unsafe and you will not need to do this.

In addition to the security implications of @ceejayoz, if allow_url_fopen PHP is enabled, you can also insert any URL into $url . Thus, your server can be easily used for streaming large amounts of data from other servers with all possible consequences.

This file maintenance method should only be used when it is truly needed. It consumes more resources (because you need to start an expensive PHP process) than request a static resource through a web server.

In any case, this is not necessary. It seems your web server is not serving the correct content-type header along with your MP3 files. This is what you have to fix.

It’s possible if you’re in Apache by adding the .htaccess file to the directory where the MP3 files are located, with the following contents:

 AddType audio/mpeg .mp3

already fixes the problem. If this is not the case, but force-download works, try

 AddType application/force-download .mp3
+5
source

Your actual problem is that you are not sending the content type header to the client when you are serving the mp3 file. Make sure you set the title of the content type before sending the contents of the mp3 file.

If you serve them directly from your web server without a script, you just need to configure the content type in your web server configuration.

For Apache, you can configure this in the .htaccess file:

 AddType audio/mpeg .mp3
+2
source

Yes, there is definitely a security risk, since you do not check / deactivate the requested file path. So make sure you check this before sending files to the user!

Although this will use the bandwidth and server resources, it will be minimally more than downloading files on a regular basis. The only additional overhead is handling / running PHP. You probably won't notice the difference.

+1
source

Source: https://habr.com/ru/post/1313314/

More articles:


All Articles