I’m developing a web service. With this service, user’s will upload their .php files, and service will remove UTF8 BOM characters from php file. And then, There will be a link like this :
<a href="uploads/as8df7/uploadedfile.php">Download Your File</a>
But when i click this link, browser browsing to this file. I don’t want browse it, i want to download it. So , when user click this link, downloading will start.
Any ideas ?
(P.S. I don’t want modify uploadedfile.php file, also i read 5 questions about this, but still i have problem.)
The problem is that you’re allowing people to upload PHP files on your server, then giving them a link to execute that PHP file. The web server is automatically treating those uploaded PHP files like any other PHP file, i.e. executing it, which opens you up to a massive security hole.
Whatever purpose your web service has, I’d suggest renaming the file on your server when it is uploaded (something ‘random’ is best, without an extension), then having a PHP script feed it back out with the appropriate headers set when it is requested.
The URL for such a script would look like:
It would link the value in
idwith the file on the server, and if you’ve saved the original filename somewhere (flat file, DB), you can serve it out using its original name, so long as you set the right HTTP headers.