What are the potential pitfalls of directly downloading files using PHP headers?

Potential pitfalls of directly downloading files using PHP headers include lack of proper validation and security measures, potential for file path exposure, and susceptibility to malicious attacks such as file injection. To mitigate these risks, it is important to sanitize user input, validate file types, and store files outside of the web root directory.

&lt;?php
// Validate and sanitize user input
$file = &#039;path/to/files/&#039; . basename($_GET[&#039;file&#039;]);

// Check if the file exists and is allowed for download
if (file_exists($file) &amp;&amp; in_array(pathinfo($file, PATHINFO_EXTENSION), [&#039;pdf&#039;, &#039;jpg&#039;, &#039;png&#039;])) {
    // Set appropriate headers for file download
    header(&#039;Content-Type: application/octet-stream&#039;);
    header(&#039;Content-Disposition: attachment; filename=&quot;&#039; . basename($file) . &#039;&quot;&#039;);
    header(&#039;Content-Length: &#039; . filesize($file));

    // Read the file and output its content
    readfile($file);
    exit;
} else {
    // Handle invalid file or unauthorized access
    echo &#039;Invalid file or unauthorized access.&#039;;
}
?&gt;

Keywords

PHP headers file download security risks content-disposition MIME type

What are the potential pitfalls of directly downloading files using PHP headers?

Keywords

Related Questions