Hey everyone..Need a little help here but I'm not really sure if this is possible.. First off, I have a ListSelect which hold 5 items. The first item asks the user to select one of the items in the list. When the user selects one of the other items in the list I want it to prompt them with a download box to download that particular file. Problem is, all the files in the list are text files..Therefor, it just opens them in the browser instead of prompting them to download. Here is my current code which opens the newly selected item in the browser onchange=\"window.location='$VARIABLE' + this.options[this.selectedIndex].value;\" Code (markup): I've tried using the following code to prompt the user to download..but it doesn't work. I select an item and nothing happens. onchange=\"<? header('Content-type: plain/text'); header('Content-Disposition: attachment; filename=''$VARIABLE' + this.options[this.selectedIndex].value''); readfile(''$VARIABLE' + this.options[this.selectedIndex].value'); ?>\" Code (markup): Is it possible to prompt the user to download a text file using the onchange method?
Separate it into parts. Basically to... html: onchange = 'location.href=download.php?file=' + this.options[this.selectedIndex].value; download.php: header('Content-type: plain/text'); header('Content-Disposition: attachment'); readfile($_GET['file']); Hendra
Hey hdewantara..Thanks for the response. I got that to work. Only problem now is that no matter which item you select in the list the file gets named download.php..I used the following code and was able to rename the download.php file to a download.txt file instead: in download.php header('Content-Disposition: filename="download.txt"'); Code (markup): But, I don't want to name every file download.txt..Instead, I would like to name the file by the associated value in the list. So, I made the following changes: onchange='window.location=\"download.php?filename=\"this.options[this.selectedIndex].value\".txt&file=$VARIABLE\" + this.options[this.selectedIndex].value;' Code (markup): and now this is the last 2 lines of my download.php header('Content-Disposition: filename='($_GET['filename'])''); readfile($_GET['file']); Code (markup): However, it doesn't seam to work. Nothing happens when I select an item in the list again. Thanks again for your help!
Code looks okay to me Except this one perhaps: header('Content-Disposition: attachment; filename="' . $_GET['filename'] . '"'); Any (javascript/php) error messages?
Hey, thanks for getting back to me. I made the change you suggested but still nothing. No errors come up or error_logs being created. It just sits there any does nothing whenever I select an item in the list. I did clean the original line up a little as it looks like one or two things may not have been properly closed..But, still nothing $output = "\r\n\t<select class=\"xxlarge\" size=\"1\" id=\"downloadList\" name=\"list1\" onchange=\"window.location=download.php?filename='this.options[this.selectedIndex].value'.txt&file='$VARIABLE' + this.options[this.selectedIndex].value;\"><option value=\"1\">Please select a day</option>"; Code (markup):
Okay, just an update on this as I've made a little bit more progress. I now get the file to rename properly and prompt me to save. But, when I save and open the file I do have an error. Here is the new code onchange=\"window.location='download.php?filename=fileDate' + this.options[this.selectedIndex].value;'&file=$VARIABLE' + this.options[this.selectedIndex].value;\" Code (markup): Here is the error <br /> <b>Warning</b>: readfile() [<a href='function.readfile'>function.readfile</a>]: Filename cannot be empty in <b>/home/username/public_html/folder/download.php</b> on line <b>4</b><br /> Code (markup): Finally, here is the download.php file <? header('Content-type: plain/text'); header('Content-Disposition: attachment; filename="' . $_GET['filename'] . '"'); readfile($_GET['file']); ?> Code (markup):
Hmm, I think it's the onchange making problem: onchange=\"window.location='download.php?filename=fileDate' + this.options[this.selectedIndex].value;'&file=$VARIABLE' + this.options[this.selectedIndex].value;\" Code (markup): Could you paste how that code part is printed in your HTML page (not as PHP code) here?
That's what I was thinking as well..and I think it's particularly in the &file= part.. This is what the URL should look like: http://www.mydomain.com/download.php?filename=fileDate10-11-2013.txt&file=http://www.mydomain.com/folder/10-11-2013.txt Code (markup): the fileDate text is just something I put in there to add some text before the selectedIndex value. It seamed that when I was trying to get just the value it wouldn't work..Then, adding some text before it and adding the + fixed that..However, I think the issue is in this region: '&file=$VARIABLE' The first part of the URL is in a single quote: 'download.php?filename=fileDate' Then we add the selected index which is not in a single quote Then we perform another single quote to try and continue the URL: '&file=$VARIABLE' and Then we add the selected index which is not in a single quote again Maybe this is part of this issue? Thanks again!!
Aaa, you're very close then One missing 'plus' sign? onchange=\"window.location='download.php?filename=fileDate' + this.options[this.selectedIndex].value + '&file=$VARIABLE' + this.options[this.selectedIndex].value;\"
readfile($_GET['file']); PHP: ... remove this line NOW. Can you guess what happens when I go to download.php?file=/etc/passwd ?
@ hdewantara - thanks for that correction. I've put it in there, but for some reason I still get the same error as above coming from download.php.. @nico_swd - I don't think that would really play a role here. The download file is not in a home directory and I don't know that trying to access such a file under a user account would even be allowed?
I would still be able to download any file from your server. Such as config.php files etc... You should validate the extension, and make sure the file can't be outside a specific folder.
What would you recommend to validate the extension or lock it to a specific folder? I've tried to use the following code to lock it to a specific folder but it doesn't appear to work: readfile($_GET['http://www.mydomainhere.com/folder/location/' + 'file']); Code (markup): If this would work then I believe it would lock any download.php request to that file location, correct?
Okay..think I finally got it now. Maybe you can look at this @nico_swd and tell me what you think.. download.php <? header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="' . $_GET['filename'] . '"'); readfile('http://www.mydomain.com/folder/link/' . $_GET['file'] . ''); ?> Code (markup):
I'll take it one step further and disable changing directories: $_GET['file'] = '../..differentlinkfolder'. <?php // Use absolute link when downloading as opposed to relative links, unless its a CDN $file = 'folder/link/' . str_replace(array('/', '\\'), '', $_GET['file']); if (!file_exists($file)) { die(); } header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="' . $_GET['file'] . '"'); readfile($file); ?> PHP:
I have a question... why the blue blazes do people dick around with onchange on select and redirect BS to do an anchor (or series of anchors) with CSS' job? Likewise, the idiotic halfwit garbage of dicking around with trying to hide a static files location and using readfile... for *** sake just link the user to the file!
For one, I myself don't want to do an anchor. Second of all, the purpose of hiding the static file locations and using the readfile method is because linking directly to a text file opens it in the browser and doesn't prompt you to download. You should know this and if you would have read all the posts maybe you would have. If you want to direct anchor to your files then that's your prerogative. Not all of us want to use this method. Welcome to the 21st century!
Too simple? Too easy? Too useful to users?!? Gracefully degrades since it doesn't need any scripting asshattery?!? Lemme guess, it's just too little code to possibly work... :/ .htaccess: AddType application/octet-stream .txt .doc .dot .otf .odt .rtf Code (markup): ... etc, etc, etc. If not on apache, most servers have ways of setting this without any goofy overhead.
Provided he can alter or add a .htaccess file. Not all hosts allow this, and he might not have the opportunity to change hosts. Don't assume that people are free to do whatever they want to achieve a goal. Sometimes, you have to take the long road. However, if .htaccess is available, yes! By all means, yes!