Need PHP script help

[ScottDuncan]

Need PHP script help. Anybody have it or know where to find it?
I need a successful download from a click of a download button.
this is a link to my under construction website.

homemadebyx.com

If you click one of the "files" buttons, it takes you to a dynamic
listing page with download buttons. If the filetype = .zip or .txt,
no problems. If the filetype = any other type, then the file is
corrupted in one way or another.
The .docs open in word with some sort of wacked code. The
.jpgs don't have a thumbnail or preview, in windows. The .mp3s
that previously had a image in the mp3 tag, doesn't work. The
mp3s also lock up Windows Media Player.


On button,
<a href="downloadFile.php?file=<? print "$currentDirectory/$fileName"; ?>

On download page,
$filename = $_GET['file'];

$file_extension = strtolower(substr(strrchr($filename,"."),1));

switch( $file_extension )
{
case "pdf": $ctype="application/pdf"; break;
case "exe": $ctype="application/octet-stream"; break;
case "zip": $ctype="application/zip"; break;
case "doc": $ctype="application/msword"; break;
case "xls": $ctype="application/vnd.ms-excel"; break;
case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
case "gif": $ctype="image/gif"; break;
case "png": $ctype="image/png"; break;
case "jpeg":
case "jpg": $ctype="image/jpg"; break;
default: $ctype="application/force-download";
}
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Type: $ctype");
header("Content-Disposition: attachment; filename=".basename($filename).";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
readfile("$filename");
exit();

Any help would be extremely appreciated

ScottDuncan
x@homemadebyx.com

[Waza04]

That script is actual insecure, it allows the user to download any file from your webserver, providing they know where it is...

[Corey]

That script is actual insecure,

Insecure? I don't see anything in the script which would affect the security of your server.

Anyhow it's not going to be a reliable delivery system. I assume the issue here is hiding the download URL? If that's the case, look into CURL:

http://ca3.php.net/curl

I have no real experience using curl so I can't offer a script but from what I've heard, that's the proper way to obscure download links.

[Waza04]

Yes it is insecure, simply because of this:

readfile("$filename");

$filename is set in the URL paramteres, meaning the user can get to any file, or any directory and any file using ".."

You ideally should filter the files allowed inside the script.

[Corey]

OK I see it now. Yes you are right, that script is dangerous. Thanks for pointing that out.

[Waza04]

OK I see it now. Yes you are right, that script is dangerous. Thanks for pointing that out.

No Prob

[ScottDuncan]

I'm not concerned about people taking my files, that's why i'm putting them on the net. The only security concern i have is whether or not my files could be manipulated or messed with in any way. As far as i understand it, they're secure and free to the world.
The reason i posted here was because upon hitting my download buttons, my files download successfully but are corrupted in some way or another. Basically, i want the files to work after a download.
If you go directly to the http for the file category (digitallyoverwhelmed.com/images) and "Save Target As" it downloads without corruption.

[Corey]

Hi. I think what Waza is telling you is that people can use your script to download even your PHP files, maybe even htaccess files, etc... Typically this would be the opposite of what you want. By filtering the downloadable file types you would avoid people accessing your secure scripts and files.

[ScottDuncan]

ahhh, i kinda get it now, i'll definitely look into that.

[Waza04]

Hi. I think what Waza is telling you is that people can use your script to download even your PHP files, maybe even htaccess files, etc... Typically this would be the opposite of what you want. By filtering the downloadable file types you would avoid people accessing your secure scripts and files.

Thats right...

It amazes me how amyn scripts like thos are floating about on the internet, and people use them :(

[Corey]

True. Even I made a mistake reading it, and I *know* better. When I read it initially I just skimmed it lazily and I saw:

$filename = $_GET['file'];

As something more like:

$filename = "myImage.jpg";

Or whatever. Anyhow your point is valid, the internet is indeed chock full of things and stuff. Lots of mistakes. But I also think it's great to have forums like these where people help one another with stuff like this, your advice ends up getting passed on down the line and it fuels a general community learning infrastructure which is quite noble.