php下载文件

Question

嗨，我试图从文件“上传”下载文件。我使用薄COBE但结果却是“对不起，该文件似乎不存在”

这里是我的电话

<a href="download.php?filename=<?php $row4['Arxeio'] ?>">Click here 
to Download the File</a> 

和的download.php

<?php session_start(); 

$filename = $_GET['filename']; 

$download_path = './upload/'; 

if(eregi("\.\.", $filename)) die("I'm sorry, you may not download that file."); 

$file = str_replace("..", "", $filename); 
// Make sure we can't download .ht control files. if(eregi("\.ht.+", $filename)) die("I'm sorry, you may not download that file."); 

// Combine the download path and the filename to create the full path to the file. $file = '$download_path$filename'; 

// Test to ensure that the file exists. 
if(!file_exists($file)) die("I'm sorry, the file doesn't seem to exist."); 
// Extract the type of file which will be sent to the browser as a header 
$type = filetype($file); // Get a date and timestamp $today = date("F j, Y, g:i a"); $time = time(); // Send file headers header("Content-type: $type"); header("Content-Disposition: attachment;filename=$filename"); 
header("Content-Transfer-Encoding: binary"); 
header('Pragma: no-cache'); 
header('Expires: 0'); // Send the file contents. 
set_time_limit(0); 
readfile($file); 
?> 

Answer 1

在你的HTML，你需要echo的文件名也被写入到输出：

<a href='download.php?filename=<?php echo $row4['Arxeio']; ?>'>Click here to Download the File</a> 

当recei在PHP中浏览文件名，你必须针对目录遍历攻击来验证它。确认它不包含/或..。顺便说一句，你有一个简单的测试eregi()（which is deprecated），但它可以简单地用strpos()完成。

if (strpos($filename, "..") >= 0 || strpos($filename, "/") >= 0) { 
    // Error! don't permit file download 
} 

查看PHP's documentation on NULL byte attack protection也是如此。

更好虽然是将$filename对有效文件名的白名单比较下载：

if (in_array($filename, array('file1.jpg', 'file2.txt', 'file3.mov',...)) { 
    // Ok, send the file. 
} 
else { 
    // Invalid file 
}