Download Link for Any File Type
"Download This File" is an easy downloader built with PHP. Link to downloadthisfile.php from your web page, and the file downloads.
To block hackers from downloading just anything from your site, you list (a) the complete individual file names that may be downloaded and (b) the file name extensions of the type of files that may be downloaded.
Download This File also automatically blocks downloading of any file below the document root — from any directory or its subdirectory where your domain's main or index file is located.
Although the Download This File software tells the browser to download the file and save it to the site visitor's hard drive, the browser may do something different.
Site visitors may view your site with a phone or other tool that is not set up to download or doesn't have sufficient storage space available for your file. In that case, the browser may attempt to display the file. Further, the browser may be set up to always display certain types of files in the browser, such as PDF, PHP, text, and image files.
The browser always has the final say.
To implement the download functionality on your website, the first thing to do is copy the source code below and do any customizing that may be required. Then, upload the Download This File script to your server. Name it downloadthisfile.php or another *.php file name you prefer. (Customizing instructions follow this source code.)
<?php /* Download This File Version 1.0 November 11, 2025 Will Bontrager Software LLC https://www.willmaster.com/ */ /* Customization. */ // There is one required customization and one optional customization. // 1. (Required) // Between the lines below that contain the word ALLOWED, // list the file names and/or file name extensions that may be downloaded. // If the item you list begins with a period, it is considered a file name extension. // Otherwise, the item is considered a complete file name. $AllowedFiles = <<<ALLOWED .pdf my-image.png .jpg .jpeg ALLOWED; // 2. (Optional) // This provides the means to hide the server location of the downloadable file: // If $HackRoot is present with a value, // the location of the downloadable file is determined from $HackRoot. // Otherwise, // the location of the downloadable file is determined from the document root. $HackRoot = ""; /* End of customizations. */ if( ! isset($_GET['file']) ) { echo 'Invalid access.'; exit; } $downloadable = basename($_GET['file']); $isOK = false; foreach(preg_split('/\s+/',trim($AllowedFiles)) as $f) { if( strpos($f,'.')===0 and preg_match('/'.preg_quote($f,'/').'$/',$downloadable) ) { $isOK = true; } elseif( $f==$downloadable ) { $isOK = true; } if($isOK) { break; } } if(!$isOK) { echo 'Invalid file.'; exit; } if( isset($HackRoot) ) { $HackRoot = $_SERVER['DOCUMENT_ROOT'] . (preg_replace('/^'.preg_quote($_SERVER['DOCUMENT_ROOT'],'/').'/','',$HackRoot)); } else { $HackRoot = $_SERVER['DOCUMENT_ROOT']; } $Location = "$HackRoot{$_GET['file']}"; $Location = realpath($Location); if(!$Location) { echo 'Unable to locate downloadable file.'; exit; } $Location = $_SERVER['DOCUMENT_ROOT'] . (preg_replace('/^'.preg_quote($_SERVER['DOCUMENT_ROOT'],'/').'/','',$Location)); if(!file_exists($Location)) { echo 'Downloadable file not found.'; exit; } $Outfile = ( isset($_GET['name']) and strlen($_GET['name']) ) ? trim($_GET['name']) : $downloadable; header('Content-Type:application/octet-stream'); header("Content-Disposition:attachment; filename=$Outfile"); readfile($Location); exit; ?>
Customzing —
There are two places that can be customized. One is required, authorizing the files that may be downloaded. The other is optional, a way to hide the server location of the downloadable file.
-
The first option to customize is required. It is where you specify which files may be downloaded. You specify either
-
The complete file name, in which case the specified file may be downloaded.
-
The file name extension, in which case files with that extension may be downloaded.
OR
Specify the files that may be downloaded between the lines that contain the word
ALLOWED. Blank lines are acceptable. Files may be separated with a space and/or a line break. -
-
The second option is optional. If you wish to hide the server location of your downloadable files, you may specify a directory where the files will be found.
To specify a directory for downloads, type the directory location between the quotation marks of this line:
$HackRoot = "";As an example, to specify that all downloadable files are in
/downloadsor its subdirectories:$HackRoot = "/downloads";
Making Download Links
With Download This File installed, you can now make links for your site visitors to download. (The following examples assume Download This File is installed at /downloadthisfile.php on your website.)
Let's suppose you have a file named mydoc.pdf in the /downloads directory. This link can be provided to download the file.
<a href="/downloadthisfile.php?file=/downloads/mydoc.pdf"> Download mydoc.php </a>
The link is to your downloadthisfile.php installation followed by ?file= and the location of the file to download. For this example, the location is /downloads/mydoc.pdf
When you installed /downloadthisfile.php on your website, you will have authorized the file to download — either by its full file name or by its file name extension.
Specifying the save-as file name.
If you wish, you may specify the file name that should be used to save the downloaded file on your site visitor's hard drive. Example:
<a href="/downloadthisfile.php?file=/downloads/mydoc.pdf&name=yourdoc.pdf"> Download mydoc.php and save it as yourdoc.php </a>
After specifying the file to download, add &name= and the save-as name. In this example, the save name is yourdoc.pdf
Hiding Downloadable File Server Location
There may be reasons you want to hide your downloadable file's server location. As examples, it may be frequently updated or contain confidential information that should be known only to certain people. As a third example, your reason might be just because you want to.
To implement that functionality, specify a directory in the Download This File script. It is the second customization option you read about further above.
This example will specify the /special directory for download file locations.
$HackRoot = "/special";
Now, when you make downloadable links, do not include the /special directory in the download URL
These links will download myspecialfile.pdf from the /special/myspecialfile.pdf location. But the links just specify the file name, not its directory, thereby hiding the file's server location.
<a href="/downloadthisfile.php?file=myspecialfile.pdf"> Download mydoc.php and save it as yourdoc.php </a> <a href="/downloadthisfile.php?file=myspecialfile.pdf&name=yourspecialdoc.pdf"> Download mydoc.php and save it as yourdoc.php </a>
The Download This File script lets you link to any file type to download it. For security, the file name or file name extension of the file must be specified in the script. Optionally, you can hide the server locations of the downloadable files.
(This content first appeared in Possibilities newsletter.)
Will Bontrager
