The correct way to handle file downloads in PHP - Webforward Blog
27th March 2015
Go Back

The correct way to handle file downloads in PHP

alt

I’ve seen many download scripts written in PHP, from simple one-liners to dedicated classes. At least half of them share common issues; in many cases programmers simply copy the code from something that works, without even attempting to understand what it really does. With my experience in developing a successful online video platform and writing many variations of download scripts for clients, I thought it would be notable to mention one that I come across time and time again…

Never accept paths as input

It’s very tempting to write something like

readfile($_GET['file']);

but before you do, think about it, anyone could request any file on the server, even if it’s outside the public html area. Guessing is not too difficult and in a few tries, an attacker could obtain configuration or password files.

You might think you’re being extra clever by doing something like

$mypath = '/path-to-my-files-folder/' . $_GET['file'];

but an attacker can use relative paths to evade that eg “../../../some-file.txt”.

What you must do – always – is sanitise the input. Accept only file names, like this:

$path_parts = pathinfo($_GET['file']);
$file_name = $path_parts['basename'];
$file_path = '/path-to-my-files-folder/' . $file_name;

And work only with the file name and add the path to it yourself.

Even better would be to accept only numeric IDs and get the file path and name from a database (or even a text file or key => value array if it’s something that doesn’t change often). Anything is better than blindly accepting requests.

If you need to restrict access to a file, you should generate encrypted, one-time IDs, so you can be sure a generated path can be used only once.

Oh, don’t forget to restrict direct access to your downloads folder.

Please share, have fun coding!

Facebooktwittergoogle_pluspinterestlinkedinmailFacebooktwittergoogle_pluspinterestlinkedinmail
Tags: , , , ,
About the Author

At heart, I am a geek. I started building websites at the age of 11 and have grown from a freelancer to running three successful web agencies located in Tamworth, Cardiff and Surrey, primarily through word-of-mouth. I love web design, and I like to think that it shows in our work. My specialities lie in bespoke web development, security testing and server management but I have a passionate team around me to complete the whole package and make our businesses the number one choice.

Subscribe to our mailing list and we will keep you up to date with our latest blog posts!