upload/download files in php

Adam

I'm trying to allow for files to be uploaded and downloaded on a website. The upload seems to be working fine, the file saves to the database with all the correct info i.e. name, size, file type

I then display the files in a table and upon clicking a file name it should download, which is also nearly there. The problem is the file size is only ~700 bytes, even though the file is actually 35kB's.... Below is the upload and download scripts:

Upload:

<form enctype="multipart/form-data" name=frm1 action="savetask.php" method="POST">
<input type=hidden name=task_id value="<?php echo($id) ?>">
<table width=95% cellspacing=0 cellpadding=0 class=newtbl>
<tr>
<th colspan=2 width=100%>Please Enter Task Details</td>
</tr>
<tr>
<td colspan=2> </td>
</tr>
<tr>
<td>Name</td>
<td><input name=task_name value="<? echo($task_name) ?>"></td>
</tr>
<tr>
<td>Priority</td>
<td><input name=task_priority value="<? echo($task_priority) ?>"></td>
</tr>
.......................
<tr>
<td>Choose a file to upload:</td>
<td><input type="hidden" name="MAX_FILE_SIZE" value="2000000"><input name="userfile" type="file" id="userfile"></td>
</tr>
<tr>
<td colspan=2 align=right><input name="upload" type="submit" class="box" id="upload" value="Save"></td>
</tr>

Then there is a table displaying the files and when you click on them it points to this script:

<?php

include 'functions.php';

if(isset($_GET))
{
// if id is set then get the file with the id from database

$id = $_GET;
$query = "SELECT name, task_id, type, size, content FROM upload WHERE task_id='{$v}'";

$result = mysql_query($query) or die('Error, query failed');
list($name, $type, $size, $content) = mysql_fetch_array($result);

header("Content-length: $size");
header("Content-type: $type");
header("Content-Disposition: attachment; filename=$name");
echo $content;

include 'header.php';


exit;
}

?>

Thoughts?

democrates

Have you tried to echo $query after
$query = "SELECT name, task_id, type, size, content FROM upload WHERE task_id='{$v}'";
and running it directly in mysql?
That {$v} is new to me, I'd have been putting simply $id between the single quotes, what does it do and where did $v come from? Functions.php or something?
Edit: PS have you checked the files are saved to disk after upload with the correct size?

Adam

I cant echo the $query because download.php doesn't actually appear, there is no page, just the script that presents me with a download pop up.

As for '{$v}', it works much the same but to be honest i'm not sure what use it is over '$id', my boss incorporates it into his scripts all the time so i just follow protocol! Its defined in functions.php as

foreach($_REQUEST as $key=>$val) {
$v[$key]=$val;

EDIT: Yes it definitely uploads correctly

Nietzschean

you can display the page if you comment out those lines sending the file type headers, for debugging purposes and make sure its getting the right size/type and so on.
comment out :
header("Content-length: $size");
header("Content-type: $type");
header("Content-Disposition: attachment; filename=$name");

democrates

Save a backup of the file to keep your code, then back in the one that's running, temporarily cut out the pop-up window bits and anything else not necessary, so you can simply echo $query.

Ah, $v is an array of input variables (be they GET or POST as he's getting them from $_REQUEST) which functions.php assembles and perhaps validates? You may as well get id from that array
$v
instead of going back to the unvalidated source
$_GET
for it.
Otherwise you may be open to an sql injection attack if someone calls the download script direct. EG from the browser: http://www.yoursite.com/downloadscript.php?id=0']' or task_id<>'0
or somesuch (that won't do it but hackers know how, call me paranoid).

Main Edit: Total nonsense deleted - the curly braces are needed to evaluate an expression (eg retrieve a value by key name from an array) rather than just interpolate a single variable. At least you've helped me out, sorry if all I can offer on this one is the diagnosis tip.

Adam

No problem, I'll give your suggestion a lash! Glad to be of service