download count and show file size in php

Question

I have a script in which I upload pdf files which user can download.

Now I want to show download counts and file size in MB.

I also want some help to avoid any possible attack because my script is very much simple.

My download.php is as below

<?php
    include("admin/config.php");
    $id   = $_REQUEST['id'];
    $sql  = "SELECT * FROM novels  where id=$id";
    $rs   = mysql_query($sql);
    $row  = mysql_fetch_array($rs);
    $pdf  = $row['pdf'];
    $name = $row['title'];
    $path = 'admin/';
    $file = $path.$pdf;
    $filename = $pdf;
    header("Content-Type: application/octet-stream");
    header("Content-Disposition: attachment; filename='$name-bookspk.net.pdf'");
    header("Content-Length: filesize($file)");
    readfile($file);
    ?>

Answer 1

For download counts you could save to database

$sql = "UPDATE `novels` SET `count`=`count`+1 WHERE `id`=".(int)$id;

Assuming you have a count column

For download size you should move filesize out:

header("Content-Length: ".filesize($file));

This is for allowing browser to see progress, if you want to display it, it's same, you can store it in database

$sql = "UPDATE `novels` SET `size`=".filesize($file)." WHERE `id`=".(int)$id;

This should be set when you upload.

Remeber to escape your mysql queries because of vulnerability. For integers is simple as you can cast (int).

Answer 2

Try adding caching headers this should reduce the number of times the file is downloaded from the server if you are worried about false positives.

<?php
header("Expires: Sat, 26 Jul 2020 05:00:00 GMT"); // Date in the future
?>

You should probably store the file size in the table when it is uploaded that way you can get all the information out with one call to the database.