Code first, then an explanation:
<?php
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"".$_POST['filename']."\"");
$key = md5(rand());
echo $key;
$key = str_repeat($key,ceil(strlen($_POST['data'])/32));
echo $_POST['data'] ^ $key;
?>
What this does is allow me to POST data through a form (dynamically generated) and have the posted data be downloaded as a file.
I'm using a very basic XOR encryption that puts the (fixed-length, 32-byte) key at that start of the file. The intention is not to secure the data, but rather to obfuscate it.
Having such a file means that potentially anyone could POST whatever data they wanted to it and it would be offered as a download to the user's computer, but I believe a combination of the user having to accept the download, and the data being passed through XOR with a one-time key, is enough to prevent malicious use.
Is there any reason why I should not use such a file? Are there better alternatives to what I'm doing? Is application/octet-stream the appropriate MIME-type?
It is completely safe from user's perspective - because it makes no sense for user to harm itself and POST cannot be passed by potentially malicious url or redirect. And even if it could - there is just a script that returns a file to download. This cannot harm anyone by definition.
But you should keep in mind that after you sent it to user - you can never trust the data in case that you accept the data to deobfuscate and use in some way.
Is application/octet-stream the appropriate MIME-type
As long as you return binary data - yes, it is appropriate