Creating a hyperlink from a variable in the filename

(Sorry if this is a really dumb question - I have done virtually nothing with PHP so still struggling to get to grips with the basics)

On one of my websites, I have non-web (.gpx) files available for download. At the moment, I just have links to those files in the HTML, but that isn’t ideal.

What I would like to have is a gateway page that gives instructions on how to download and use the files, and a brief disclaimer as well. But I don’t want to have to code up a gateway page for each and every download. What I would love to be able to do is something like:

<a href=“/downloadgpx.php?file=route1”>Download Route 1</a>

taking you to a gateway page “downloadgpx.php”, which has the generic blurb about downloading the files, and then uses the query in the URL to generate a link to
<a href=“/downloads/route1.gpx”>.

My question is … how to I go about generating the link in this way?

Sorry for being dumb, but why do I need to sanitise the input, and how do I go about that?

In your main page you could have something similar to this

 
<?php
 
$path = './';  //path to gpx files folder
 
// get list of gpx files
$files = scandir($path);
 
//display the links
foreach($files as $file) {
     if($file != '.' && $file != '..') {
         echo '<div><a href="downloadgpx.php?file='.urlencode($file).'">Download '.$file.'</a></div>';
      }
}
 
?>

and in downloadgpx.php

 
 
<?php
 
$filename = $_GET['file'];
?>
 
<div>
     <a href="/downloads/<?php echo $filename; ?>">Download <?php echo $filename; ?></a>
</div>

yep, very good point

I was in KISS mode.

And please sanitize the input on downloadgpx.php first.

For not display the gateway of file.
Just use this code:----
<form action=“download.php” name=“myform” method=“post”>
<input type=“hidden” name=“f” value=“file name to be download”>
<a href=“javascript: submitform()” style=“font-size:20px; color:#BB4B2B; text-decoration:none”><strong>Click here to download the ebook</strong></a>
</form>[URL=“http://www.phpkolkata.com”]

yep :agree: adding dirname() to the validation is even better but, not being a systems admin. guy, I would expect other system security/permissions to stop people linking to those type of directories.

Alright, I’ll go to /downloadgpx.php?file=…/…/…/etc/passwd than (:
(or however much times I need to repeat …/)

I’d go for this:

 
<?php
 
$filename = $_GET['file'];
$path = '/downloads/';
 
if(dirname($path.$filename) === dirname($path) && @file_exists($path.$filename)) {
    echo '<div><a href="'.$path.$filename.'">Download '.$filename.'</a></div>';
}

?>

Imho you should validate all inputs into a script just in case someone is trying to hack into the script for whatever reason.

In this case I would just make sure the file exists before displaying the download link. If someone tried to manipulate the value of $_GET[‘file’] then most probably the file will not exist and the link will not be displayed.

Otherwise it could be possible, albeit remote, that someone could cause the link to point to an unintended location.

Bottom line: validate all script inputs

 
<?php
 
$filename = $_GET['file'];
$path = '/downloads/';
 
if(@file_exists($path.$filename)) {
    echo '<div><a href="'.$path.$filename.'">Download '.$filename.'</a></div>';
}

?>