\s\\/]{1,60}\.(sql|ics|txt)$%',$_GET['ftd'])) { exit('not permitted - no or wrong file name'); } // no way! $fName = $_GET['ftd']; //file to download $rName = $_GET['rName']; //rename $dName = './files/'; if (file_exists($dName.$fName)) { //file valid header("Content-type: application/octet-stream"); header("Content-Disposition: attachment; filename=$rName"); readfile($dName.$fName); //send download } else { echo "File not present"; } ?>