I'm at a bit of a loss as to why this folder is not being found. I have a script that, after searching a database to find the $filename of someone's purchase based on a stored random code, should simply return their file. My code looks like this (including the trailing end of the db query):
$stmt_2 -> bind_result($filename);
$stmt_2 -> fetch();
$stmt_2 -> close();
// For .zip files
$filepath='/media-files/Label/' . $filename;
if (headers_sent()) {
echo 'HTTP header already sent';
} else {
if (!is_file($filepath)) {
header($_SERVER['SERVER_PROTOCOL'].' 404 Not Found');
echo 'File not found.';
} else if (!is_readable($filepath)) {
header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden');
echo 'File not readable.';
} else {
header('Content-Type: application/zip');
header('Content-Disposition: attachment; filename="' . basename($filepath) . '"');
header('Content-Length: ' . filesize($filepath));
readfile($filepath);
exit;
}
}
When I run this code, I receive "File not found." so !is_file($filepath) is where it is getting tripped up -- However, the path is correct and the zip is definitely there, so I'm not sure what is wrong here.
In terms of debugging, I've tried removing the checks, going directly to the headers and readfile, which returns an empty zip folder. What does work is if I navigate directly to the file by URL...
UPDATE
The file path issue has been fixed, but I am still not able to download the file. In all attempts I get either ERR_INVALID_RESPONSE or if I try to brute force download the file, it returns an empty file. I tried using these headers with no success:
header_remove();
ob_end_clean();
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $filename . '"');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));
readfile($filepath);
ob_end_flush();
exit;
They are large audio files, which appears to be causing the issue...
You have two types of pathes:
(a) The path of an URL. You have a web-adress which defines the root of your webpage.
e.g. https://www.stackoverflow.com is the start of the site. If you adress /questions at this site you always have the path https://www.stackoverflow.com/questions
(b) The path of the drive where the webpage is located. It is the filesystem-root.
e.g. /home/httpd/html/MyWebPage/questions
If you try to use /questions in (b) it will fail because you need the whole path.
So, this said you need to know where '/media-files/Label/'.$filename is located. It seems to me that /media-files is not at root-level of your filesystem (b).
Maybe it is at the web-root but this is not enough for your system to find the file. Therefore you need something like this:
'/root/httpd/MyWebPage/media-files/Label/'.$filename
Nico Haase was absolutely correct, this is an issue with misunderstanding of paths. Here is a link to an article that should clear things up:
https://phpdelusions.net/articles/paths
Currently your script is trying to find the file in:
/media-files/Label/file.zip
not:
/var/www/myproject/media-files/Label/file.zip
The linked article should provide you with all the neccesary information.
TLDR;
use:
$filepath=$_SERVER['DOCUMENT_ROOT'].'/media-files/Label/' . $filename;
UPDATE
With the file size issue it might be that PHP runs out of allowed memory when trying to load the whole file. We could try something like:
flush();
$file = fopen($filepath, "r");
while(!feof($file)) {
// send the current file part to the browser
print fread($file, round(10 * 1024));
// flush the content to the browser
flush();
}
fclose($file);
There are some issues with flush() but it's a good shot I think. You can have a read on: https://www.php.net/manual/en/function.flush
Other then that there is always the possibility to split the file into smaller chunks.
Related
I am having a problem with my webpage. I am building a report tool for downloading data as .csv - I have a php skript which aggregates the data and builds a csv from it. The skript is invoked with the exec() command, detailed code is below. The skript itself uses file_put_contents() to generate the file, which is then stored in my /tmp/ folder until its downloaded (I am working in a dockerized environment and our filter rules delete the file at the next request, but I could store the file permanently somewhere else if that would be neccessary). I am then checking if the file is present with file_exists() and proceed to invoke my download function. In Firefox I get the desired result, a file with the correct content of only the csv data.
My main Problem is: When I download the csv in Chrome I get the csv data followed by the html source of my page - so starting with <!doctype html> in the first line after the csv data, then <html lang="de">in the next line of te csv and so on..
Let me show you some code:
In my skript:
private function writeToFile($csv)
{
$fileName = '/path/to/file' '.csv';
echo "\n" . 'Write file to ' . $fileName . "\n";
file_put_contents($fileName, $csv);
}
In my page class:
$filePath = '/path/to/finished/csv/'
exec('php ' . $skriptPath . $skriptParams);
if (file_exists($filePath)) {
$this->downloadCsv($filePath);
} else {
$pageModel->addMessage(
new ErrorMessage('Error Text')
);
}
My download function in the same class:
private function downloadCsv($filePath)
{
header('Content-Description: File Transfer');
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');
header('Content-Length: ' . filesize($filePath));
readfile($filePath);
}
The shown above is working in Firefox, but not in Chrome. I already tried to clear the output buffer with ob_clean() or send and disable it with ob_end_flush() but nothing worked for Chrome.
I also tried something like this in my download function:
header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');
$fp =fopen($filePath, 'rw');
fpassthru($fp);
fclose($fp);
This produces the same results in Firefox and Chrome - I get the csv data followed by the html sourcecode mixed into the same file.
I am working within a Symfony framework if that could be from help, I saw there are some helper functions for file downloads but I so far I could not use them with success..
Until now my target is only to get the download working in Chrome to have a working mvp which can go into production - it is supposed to be for internal use only, so I don't have to care about IE or some other abominations because our staff is told to use a normal browser... But when someone sees flaws in the general concept feel free to tell me!
Thanks in advance :)
So I managed to get it working, I was on the wrong track with the output buffer, but a simple exit()after my readfile()was enough to stop parts of the html ending up in the csv file.
Code:
private function downloadCsv($filePath)
{
header('Content-Description: File Transfer');
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');
header('Content-Length: ' . filesize($filePath));
readfile($filePath);
exit;
}
I'm trying to download files form server using PHP by passing the path and file name through URL, like this:
<a class="downloadBtn" style="float:left;" href="download_file.php?folder=<?php echo $codrepresentante.'&file='.$nomeArquivo ?>" >download</a>
Then I receive this PHP file:
<?php
$fileName = $_GET['file'];
$coisa=urldecode($fileName);
$path= "http://localhost/portal/boletos/".$_GET["folder"];
$filePath = $path.'/'.$coisa;
echo "caminho: ".$filePath;
if(file_exists($filePath)){
// Define headers
header("Content-Description: File Transfer");
header("Content-Transfer-Encoding: binary");
header("Content-Disposition: attachment; filename=".$coisa);
header('Content-Type: application/octet-stream');
header('Cache-Control: must-revalidate');
header('Content-Length: ' . filesize($coisa));
ob_clean();
flush();
// Read the file
echo readfile($filePath);
exit;
} else {
echo 'The file does not exist.';
}
?>
But I always get empty files or the The file does not exist response.
I got the $filePath variable and used in the browser to see if the path was wrong, but it worked, so the path is correct.
Could someone help me by indicating where I made a mistake?
Receiving empty file
Based on the code you've shown us, there shouldn't be any download at all.
echo "caminho: ".$filePath;
You're not seeing the errors PHP is reporting to you.
filesize($coisa)
That's the filename - not its full path.
but i always get empty files or the 'The file does not exist.'
So you don't get any download, zero length or other.
got the $filePath variable and used in the browser to see if the path was wrong
In the browser you specify a path relative to the document root - but in your PHP code your paths should be relative to the filesystem root.
You need to start by
learning how to describe an issue accurately
making sure you are capturing the error and warning messages PHP is telling you about
add instrumentation to your code so you can capture the internal state as the execution progresses
breakdown the coponent parts of what you are trying to achieve and test them in isolation
I have a php file to handle file downloads in a website. It is working as it should.
if($_GET['type'] == "pdf") {
$dir = __DIR__ . "/../src/files/pdf/" . $_GET['name'];
if(file_exists($dir)) {
header('Content-Description: File Transfer');
header('Content-Type: application/pdf');
header('Content-Disposition: attachment; filename='.basename($dir));
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($dir));
readfile($dir);
exit;
} else {
$_SESSION['err'] = "No file found";
header("location: index.php");
exit;
}
}
Now I want to count the times that a file is being downloaded. So I have a method inside a class in a different php file. I usually include this php file and create an instance of this class when I need to use some of its methods. The problem is that if I include the file in my file-handler.php the header will be different and the file would be corrupted when downloaded.
So, how can I use the method of this file in the file-handler without affecting the header?
If you include your counting file before at the top of file-hander.php file before you output your download headers then the download headers will replace whatever headers were output before.
Additionally. your counting file must not output any content at all as the client is expecting the file you are downloading and nothing else.
I agree 100% with #rjdown, your code creates a massive potential security issue. I would not put it on a server connected to an untrusted network (Like The Internet). If you would appreciate help making it secure then please ask that question.
I am using the following code to download files that are stored outside of the public folder.
$mime_type = mime_content_type("{$_GET['file']}");
define("IMG_LOC","/var/www/domain.com/upload/");
$filename = $_GET['file'];
header('Content-Description: File Transfer');
header('Content-Type: '.$mime_type);
header('Content-Disposition: attachment; filename='.basename(IMG_LOC.$filename));
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filename));
readfile($filename);
exit;
The problem is, file downloaded using this script is not usable. Excel is opening empty, powerpoint tells "there is an error reading" and word tells its missing a converter. Whereas, if I download the same files using ftp and open them manually, the files open properly, showing that the files are not corrupt.
For info, this is getting called from another page as : file.php?file='. $filename
Any help will be welcome. Thanks for your time.
You seem to be missing the path to your file:
header('Content-Length: ' . filesize(IMG_LOC . $filename));
readfile(IMG_LOC . $filename);
You should also add validation for the filename to avoid security problems.
If you still have a problem, you should also check the exact output of the script, perhaps there are php warnings or messages before your file.
I'm deducing that $filename is not the absolute path to the file you're seeking and hence why you define the IMG_LOC constant with a path. It's clear from there that filesize($filename)and readfile($filename) will not likely give you what you want.
Try concatenating the constant before the $filename variable like so...
header('Content-Length: ' . filesize(IMG_LOC . $filename));
readfile(IMG_LOC . $filename);
Also, consider that this code is susceptible to header-injection attacks as well as other security issues such as the user supplying you with a filename on your server that you may not want them to see. For example if I call your script with the query string ?file=yourscript.php I will be able to download your actual PHP code and potentially see any sensitive information you might not want exposed like your database password, or worse.
Also, mime_content_type is a deprecated function and should be replaced with the Fileinfo extension instead.
You script has various issues which all in all will prevent it from properly working. I roughly go through the lines and leave some comments, write a little summary then and offer another code-example with the comments incorporated:
$mime_type = mime_content_type("{$_GET['file']}");
You don't need to wrap the $_GET superglobal in curly brackets and then into double quotes. It's just not necessary for that parameter. You seem to be distracted at this point.
Anyway, this mime-type thing isn't necessary as the mime-type is not interesting if you want to offer the download. You take application/octet-stream instead and you can take care later on for a more specific mime-type:
$mime_type = "application/octet-stream";
Then at the wrong position you define the IMG_LOC constant:
define("IMG_LOC", "/var/www/domain.com/upload/");
This belongs at the very top of the script instead as you define the configuration by that.
In the line:
$filename = $_GET['file'];
you don't do any further error checking this opens up your script to directory traversal and path injection attacks which actually turns the script as you have it into a backdoor. Any file the script has access to on that server can be downloaded.
The next two lines are more or less correct then:
header('Content-Description: File Transfer');
header('Content-Type: '.$mime_type);
For the next header:
header('Content-Disposition: attachment; filename='.basename(IMG_LOC.$filename));
I would extract the basename earlier and just pass a variable here. Same for the content-length header later:
header('Content-Length: ' . filesize($filename));
Then you have this block of caching headers, as you serve the file from disk I don't think those are actually necessary, so I would remove them:
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
The readfile line seems ok, you could do some error checking however:
readfile($filename);
And the last line I don't understand, as the script is at the end anyway, why exit?
exit;
My suggestions after this little review:
Gather the information which files should be served and how they must be named. Gathering such information will allow you to close the directory traversal issue which you have to close first.
Second putting the logic part above the output (and the configuration above the logic) should allow you to order the script in a more useful manner allowing you to handle issues with the mime-type for example easier when you maintain the script (or the caching if it is really an issue).
<?php
/**
* download a file
*
* parameter:
*
* file - name of the relative to upload folder
*/
const IMG_LOC = "/var/www/domain.com/upload";
// validate filename input
if (!isset($_GET['file'])) {
return;
}
$filename = $_GET['file'];
$path = realpath(IMG_LOC . '/' . $filename);
if (0 !== strpos($path, IMG_LOC)) {
return;
}
if (!is_readable($filename)) {
return;
}
// obtain data
$basename = basename($filename);
$mime_type = "application/octet-stream"; # can be improved later
$size = filesize($path);
// output
header('Content-Description: File Transfer');
header('Content-Type: ' . $mime_type);
header('Content-Disposition: attachment; filename=' . $basename);
header('Content-Length: ' . $size);
readfile($filename);
I have a script which automatically downloads a file.
It works perfectly to download the file, but the problem is that 50% or more of the time, it downloads a corrupt file.
Usually deleting and downloading again works, but not always.
How can I make this download 100% of the time perfectly always, not corrupted?
The file size changes depending on the file being downloaded.
<?php
// Automatically Start File Download
if (isset($_GET['filename'])):
$filename = $_GET['filename'];
$domain = "http://www.domain.com";
$filepath = "/addons/downloads/websites/";
//BUILD THE FILE INFORMATION
$file = $domain . $filepath . $filename;
// echo $filepath . $filename;
// echo $file;
//CREATE/OUTPUT THE HEADER
if (file_exists("/home/unrealde/public_html/ebook/domain.com/".$filepath . $filename)):
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
else:
$errorMsg = "<b>Download Error: File $filename Doesnt Exist!</b> <br />Please Contact <a href='mailto:support#domain.com'>support#domain.com</a>";
endif;
echo $errorMsg;
else:
// don't download any file
endif;
?>
My hunch is that something in your program is outputting some data other than the file itself.
Have you looked at the corrupt file in a binary editor and compared it with a non-corrupt version? What you'll find is that either at the beginning or the end of the file, you have some unexpected data, and this is what is corrupting the file.
If you look that file this way, it may become very obvious what the problem is. For example, you may have the file, followed by an error message, in which case maybe your line echo $errorMsg; is the culprit.
Alternatively you may have some blank space. This could also be the same error message, or it could be that your PHP tags have blank lines above or below them, which are being printed.
My first suggestion would be, since the program is effectively finished when the file is output, to put an explicit die; function immediately after the readfile(); line. This will categorically prevent any further spurious data being output once the file has been sent.
That won't help if the bad data is being sent before the readfile();, but it does rule out half the possible problems in one swoop.
Can't you just tar/gzip/zip the contents and provide a tar/gzip/zip file for download instead ?
Smaller file transfer increase chances of success over http transfer,
and more importantly, you can provide checksum for user to verify against
Try adding error_reporting(0); at the beginning of the script. Just for fun. If you check php.net for readfile, others have reported that this helps.