I have a quick question about how safe this is to do. I have written a php force download script and the part that actually serves the file should look pretty familiar:
header('Content-Description: File Transfer');
header('Content-Type: application/force-download');
header('Content-Length: ' . filesize("user_files/".$temp_actual));
header('Content-Disposition: attachment; filename="'.$filename."\"");
readfile("user_files/".$temp_actual);
$filename
is the filename they see and $temp_actual
is the REAL filename on my server. Obviously there is a mountain of code above this to prevent bad things happening but basically, users should be able to download any content they have uploaded. if they upload a .php file, I really don't want it running on the server, i want it delivered to them via force downoad (and they DO need to be able to upload any file type).
It works as intended, with all file extensions being force downloaded, but I just want to make absolutely certain that they can't run any php or html files on my server.
Additional info
user_files
is in the website root however is .htaccess "deny from all"
every file in the user_files
directory is appended .file instead of the original extension the original extension is replaced when the user downloads their file (maybe a bit over the top).