b-log – betriebsraum weblog

Software Development, Human-Computer Interaction, Projects…

Loading files from the outside of htdocs / Forcing download

October 19, 2005

Loading files from the outside of htdocs:
Flash has the permission only to access files in the htdocs directory because it’s connecting from the clientside. If you want to load a file from the outside of the htdocs directory into your swf file (for example if you don’t want unauthorized users to download your files by entering the url into the browser directly) you can use the following simple php snippet:

The script opens the file, reads in the content and sends it to your swf:

$pathToFile = "../outsideHtdocs/" . basename($_GET["file"]);
$handle = @fopen($pathToFile, "r");
$contents = @fread($handle, filesize($pathToFile));
@fclose($handle);
echo $contents;

In your fla file you could write:

var holderMC:MovieClip = createEmptyMovieClip("h_mc",1);
loadMovie("readFile.php?file=myFile.swf", holderMC);

Forcing download:
If the user clicks on a link to a file (e.g. pdf or word documents) and you don’t want the file to be opened in the browser window directly you can force the download of the file. Just change the header of the requested file so that the download dialog appears with this piece of php code:

In your fla file you could write:

getURL("forceDownload.php?file=myFile.pdf");

I think these two snippets can come in handy when dealing with files and upload/download stuff in flash.

Filed under: Flex/AS3

2 Responses to “Loading files from the outside of htdocs / Forcing download”

  1. Pedro says:

    for example if you don’t want unauthorized users to download your files by entering the url into the browser directly

    Of course, it should be made clear that users could still acess the file using the “readFile.php?filename=myFile.swf” URL. Also note the path to the file shouldn’t be input from the URL, just a reference to which one is taken — otherwise you’re opening yourself up for a vast array of attacks involving unauthorized access to files in your web server.

    The technique is still valid, just needs a bit polish, IMHO.

    Cheers!

  2. christoph says:

    You are right but this was just a simple example. In an application where files must be protected, you would have to check the permisson first.
    A more “polished” version can be found at Zend.com.

Add a comment

Follow comments to this post by subscribing to the comment feed.