我用php下载文件的代码有什么问题?
我用php下载文件的代码有什么问题?,php,download,Php,Download,download.php: <?php require_once('Connections/connection_psfriend.php'); ?> <?php $idreceived = addslashes($_REQUEST['sendid']); $filepathquery = "SELECT bd_brushfilepath FROM tbl_brushdescription WHERE bd_brushid = $idreceived"; $Recordset
download.php
:
<?php require_once('Connections/connection_psfriend.php'); ?>
<?php
$idreceived = addslashes($_REQUEST['sendid']);
$filepathquery = "SELECT bd_brushfilepath FROM tbl_brushdescription WHERE bd_brushid = $idreceived";
$Recordset = mysql_query($filepathquery,$connection_psfriend) or die(mysql_error());
$filepath = mysql_fetch_assoc($Recordset);
$receivedfilerequest = $filepath['bd_brushfilepath'];
$file_path = $_SERVER['DOCUMENT_ROOT'].'/'.'ps-friend'.'/' . $receivedfilerequest;
$updatedownlaodquery = "UPDATE tbl_brushdescription SET bd_brushdownloads = bd_brushdownloads + 1 WHERE bd_brushid = $idreceived";
$Recordset = mysql_query($updatedownlaodquery,$connection_psfriend) or die(mysql_error());
if(file_exists( $file_path)){
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file_path));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file_path));
ob_clean();
flush();
readfile($file_path);
exit;
首先,请停止使用MYSQL\u
函数,请参阅
其次,您使用的是$idreceived=addslashes($_REQUEST['sendid'])
是防止SQL注入的好方法。不幸的是,您调用的查询类似于,其中bd_brushid=$idreceived
,因此没有引号
换句话说,只要我不引用任何引语,你仍然是脆弱的。考虑我发送<代码> SnDead=1或1=1 <代码>。您的所有行都将在第二个查询中更新
将其更改为,其中bd_brushid='$idreceived'
,或者更好:检查
现在谈谈你的问题。我想你应该把一行改成下面的引号
header('Content-Disposition: attachment; filename="'.basename($file_path).'"');
如果仍然不起作用,请在标题中发送正确的内容类型
<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$type = finfo_file($finfo, $file_path);
header('Content-Type: '.$type)
?>
以下几点对我来说一直很有用
$file=$_POST['file'];
header( "Content-Disposition: attachment; filename=$file" );
readfile("$_POST[file]");
没有任何内容类型标题。但是,我的文件扩展名是.zip
。您的文件似乎没有扩展名。您正在使用并且应该使用。您还容易受到现代API的影响,因为它会使您更容易使用。您应该在标题('Content-Type:application/octet-stream')行设置正确的mimetype
实际上,您正在设置下载对话框上显示的mimetype。请尝试显式地将内容类型
设置为application/zip
或application/rar
。