I'm trying to download files form server using PHP by passing the path and file name through URL, like this:
<a class="downloadBtn" style="float:left;" href="download_file.php?folder=<?php echo $codrepresentante.'&file='.$nomeArquivo ?>" >download</a>
Then I receive this PHP file:
<?php
$fileName = $_GET['file'];
$coisa=urldecode($fileName);
$path= "http://localhost/portal/boletos/".$_GET["folder"];
$filePath = $path.'/'.$coisa;
echo "caminho: ".$filePath;
if(file_exists($filePath)){
// Define headers
header("Content-Description: File Transfer");
header("Content-Transfer-Encoding: binary");
header("Content-Disposition: attachment; filename=".$coisa);
header('Content-Type: application/octet-stream');
header('Cache-Control: must-revalidate');
header('Content-Length: ' . filesize($coisa));
ob_clean();
flush();
// Read the file
echo readfile($filePath);
exit;
} else {
echo 'The file does not exist.';
}
?>
But I always get empty files or the The file does not exist response.
I got the $filePath variable and used in the browser to see if the path was wrong, but it worked, so the path is correct.
Could someone help me by indicating where I made a mistake?
Receiving empty file
Based on the code you've shown us, there shouldn't be any download at all.
echo "caminho: ".$filePath;
You're not seeing the errors PHP is reporting to you.
filesize($coisa)
That's the filename - not its full path.
but i always get empty files or the 'The file does not exist.'
So you don't get any download, zero length or other.
got the $filePath variable and used in the browser to see if the path was wrong
In the browser you specify a path relative to the document root - but in your PHP code your paths should be relative to the filesystem root.
You need to start by
learning how to describe an issue accurately
making sure you are capturing the error and warning messages PHP is telling you about
add instrumentation to your code so you can capture the internal state as the execution progresses
breakdown the coponent parts of what you are trying to achieve and test them in isolation
Related
I'm at a bit of a loss as to why this folder is not being found. I have a script that, after searching a database to find the $filename of someone's purchase based on a stored random code, should simply return their file. My code looks like this (including the trailing end of the db query):
$stmt_2 -> bind_result($filename);
$stmt_2 -> fetch();
$stmt_2 -> close();
// For .zip files
$filepath='/media-files/Label/' . $filename;
if (headers_sent()) {
echo 'HTTP header already sent';
} else {
if (!is_file($filepath)) {
header($_SERVER['SERVER_PROTOCOL'].' 404 Not Found');
echo 'File not found.';
} else if (!is_readable($filepath)) {
header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden');
echo 'File not readable.';
} else {
header('Content-Type: application/zip');
header('Content-Disposition: attachment; filename="' . basename($filepath) . '"');
header('Content-Length: ' . filesize($filepath));
readfile($filepath);
exit;
}
}
When I run this code, I receive "File not found." so !is_file($filepath) is where it is getting tripped up -- However, the path is correct and the zip is definitely there, so I'm not sure what is wrong here.
In terms of debugging, I've tried removing the checks, going directly to the headers and readfile, which returns an empty zip folder. What does work is if I navigate directly to the file by URL...
UPDATE
The file path issue has been fixed, but I am still not able to download the file. In all attempts I get either ERR_INVALID_RESPONSE or if I try to brute force download the file, it returns an empty file. I tried using these headers with no success:
header_remove();
ob_end_clean();
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $filename . '"');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));
readfile($filepath);
ob_end_flush();
exit;
They are large audio files, which appears to be causing the issue...
You have two types of pathes:
(a) The path of an URL. You have a web-adress which defines the root of your webpage.
e.g. https://www.stackoverflow.com is the start of the site. If you adress /questions at this site you always have the path https://www.stackoverflow.com/questions
(b) The path of the drive where the webpage is located. It is the filesystem-root.
e.g. /home/httpd/html/MyWebPage/questions
If you try to use /questions in (b) it will fail because you need the whole path.
So, this said you need to know where '/media-files/Label/'.$filename is located. It seems to me that /media-files is not at root-level of your filesystem (b).
Maybe it is at the web-root but this is not enough for your system to find the file. Therefore you need something like this:
'/root/httpd/MyWebPage/media-files/Label/'.$filename
Nico Haase was absolutely correct, this is an issue with misunderstanding of paths. Here is a link to an article that should clear things up:
https://phpdelusions.net/articles/paths
Currently your script is trying to find the file in:
/media-files/Label/file.zip
not:
/var/www/myproject/media-files/Label/file.zip
The linked article should provide you with all the neccesary information.
TLDR;
use:
$filepath=$_SERVER['DOCUMENT_ROOT'].'/media-files/Label/' . $filename;
UPDATE
With the file size issue it might be that PHP runs out of allowed memory when trying to load the whole file. We could try something like:
flush();
$file = fopen($filepath, "r");
while(!feof($file)) {
// send the current file part to the browser
print fread($file, round(10 * 1024));
// flush the content to the browser
flush();
}
fclose($file);
There are some issues with flush() but it's a good shot I think. You can have a read on: https://www.php.net/manual/en/function.flush
Other then that there is always the possibility to split the file into smaller chunks.
I'm doing a little script that convert a csv to json with php.
I would like that, when you upload the file and the conversion is done, the converted file is automatically downloaded
exec(/*some stuff*/); // i call the script that convert the csv into json, i get my converted file path back
chmod($newFilePath, 0777); // i give all access to the new file
startDownload($newFilePath); // i ask the autoDownload
And here is the download function
function startDownload($path){
if (file_exists($path)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($path));
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($path));
readfile($path);
exit();
}
}
If I echo readfile($path); or filesize($path) I got the file content (which is exactly want i want) and the good informations, and I'm sure the path is correct. But when i execute the script nothing happens.
I'm probably missing something dumb ^^
How can I make the user download this json file?
I tried to make a link and he do the same, is this a problem of access or something like that?
EDIT :
I tester this script in Local, it works perfectly, so the problem is from the permissions or something like that. I'm really bad with this kind of stuff, so if you have some idea that could help ^^
Thx for the help!
Missing semicolon after exec :
exec(); // i call the script that convert the csv into json, i get my converted file path back
chmod($newFilePath, 0777); // i give all access to the new file
startDownload($newFilePath); // i ask the autoDownload
I woul'd check if chmod has really changed the path permission:
if(chmod($newFilePath, 0777)){
startDownload($newFilePath);
}else{
die('Permission denied');
}
I am using the following code to download files that are stored outside of the public folder.
$mime_type = mime_content_type("{$_GET['file']}");
define("IMG_LOC","/var/www/domain.com/upload/");
$filename = $_GET['file'];
header('Content-Description: File Transfer');
header('Content-Type: '.$mime_type);
header('Content-Disposition: attachment; filename='.basename(IMG_LOC.$filename));
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filename));
readfile($filename);
exit;
The problem is, file downloaded using this script is not usable. Excel is opening empty, powerpoint tells "there is an error reading" and word tells its missing a converter. Whereas, if I download the same files using ftp and open them manually, the files open properly, showing that the files are not corrupt.
For info, this is getting called from another page as : file.php?file='. $filename
Any help will be welcome. Thanks for your time.
You seem to be missing the path to your file:
header('Content-Length: ' . filesize(IMG_LOC . $filename));
readfile(IMG_LOC . $filename);
You should also add validation for the filename to avoid security problems.
If you still have a problem, you should also check the exact output of the script, perhaps there are php warnings or messages before your file.
I'm deducing that $filename is not the absolute path to the file you're seeking and hence why you define the IMG_LOC constant with a path. It's clear from there that filesize($filename)and readfile($filename) will not likely give you what you want.
Try concatenating the constant before the $filename variable like so...
header('Content-Length: ' . filesize(IMG_LOC . $filename));
readfile(IMG_LOC . $filename);
Also, consider that this code is susceptible to header-injection attacks as well as other security issues such as the user supplying you with a filename on your server that you may not want them to see. For example if I call your script with the query string ?file=yourscript.php I will be able to download your actual PHP code and potentially see any sensitive information you might not want exposed like your database password, or worse.
Also, mime_content_type is a deprecated function and should be replaced with the Fileinfo extension instead.
You script has various issues which all in all will prevent it from properly working. I roughly go through the lines and leave some comments, write a little summary then and offer another code-example with the comments incorporated:
$mime_type = mime_content_type("{$_GET['file']}");
You don't need to wrap the $_GET superglobal in curly brackets and then into double quotes. It's just not necessary for that parameter. You seem to be distracted at this point.
Anyway, this mime-type thing isn't necessary as the mime-type is not interesting if you want to offer the download. You take application/octet-stream instead and you can take care later on for a more specific mime-type:
$mime_type = "application/octet-stream";
Then at the wrong position you define the IMG_LOC constant:
define("IMG_LOC", "/var/www/domain.com/upload/");
This belongs at the very top of the script instead as you define the configuration by that.
In the line:
$filename = $_GET['file'];
you don't do any further error checking this opens up your script to directory traversal and path injection attacks which actually turns the script as you have it into a backdoor. Any file the script has access to on that server can be downloaded.
The next two lines are more or less correct then:
header('Content-Description: File Transfer');
header('Content-Type: '.$mime_type);
For the next header:
header('Content-Disposition: attachment; filename='.basename(IMG_LOC.$filename));
I would extract the basename earlier and just pass a variable here. Same for the content-length header later:
header('Content-Length: ' . filesize($filename));
Then you have this block of caching headers, as you serve the file from disk I don't think those are actually necessary, so I would remove them:
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
The readfile line seems ok, you could do some error checking however:
readfile($filename);
And the last line I don't understand, as the script is at the end anyway, why exit?
exit;
My suggestions after this little review:
Gather the information which files should be served and how they must be named. Gathering such information will allow you to close the directory traversal issue which you have to close first.
Second putting the logic part above the output (and the configuration above the logic) should allow you to order the script in a more useful manner allowing you to handle issues with the mime-type for example easier when you maintain the script (or the caching if it is really an issue).
<?php
/**
* download a file
*
* parameter:
*
* file - name of the relative to upload folder
*/
const IMG_LOC = "/var/www/domain.com/upload";
// validate filename input
if (!isset($_GET['file'])) {
return;
}
$filename = $_GET['file'];
$path = realpath(IMG_LOC . '/' . $filename);
if (0 !== strpos($path, IMG_LOC)) {
return;
}
if (!is_readable($filename)) {
return;
}
// obtain data
$basename = basename($filename);
$mime_type = "application/octet-stream"; # can be improved later
$size = filesize($path);
// output
header('Content-Description: File Transfer');
header('Content-Type: ' . $mime_type);
header('Content-Disposition: attachment; filename=' . $basename);
header('Content-Length: ' . $size);
readfile($filename);
I have a script which automatically downloads a file.
It works perfectly to download the file, but the problem is that 50% or more of the time, it downloads a corrupt file.
Usually deleting and downloading again works, but not always.
How can I make this download 100% of the time perfectly always, not corrupted?
The file size changes depending on the file being downloaded.
<?php
// Automatically Start File Download
if (isset($_GET['filename'])):
$filename = $_GET['filename'];
$domain = "http://www.domain.com";
$filepath = "/addons/downloads/websites/";
//BUILD THE FILE INFORMATION
$file = $domain . $filepath . $filename;
// echo $filepath . $filename;
// echo $file;
//CREATE/OUTPUT THE HEADER
if (file_exists("/home/unrealde/public_html/ebook/domain.com/".$filepath . $filename)):
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
else:
$errorMsg = "<b>Download Error: File $filename Doesnt Exist!</b> <br />Please Contact <a href='mailto:support#domain.com'>support#domain.com</a>";
endif;
echo $errorMsg;
else:
// don't download any file
endif;
?>
My hunch is that something in your program is outputting some data other than the file itself.
Have you looked at the corrupt file in a binary editor and compared it with a non-corrupt version? What you'll find is that either at the beginning or the end of the file, you have some unexpected data, and this is what is corrupting the file.
If you look that file this way, it may become very obvious what the problem is. For example, you may have the file, followed by an error message, in which case maybe your line echo $errorMsg; is the culprit.
Alternatively you may have some blank space. This could also be the same error message, or it could be that your PHP tags have blank lines above or below them, which are being printed.
My first suggestion would be, since the program is effectively finished when the file is output, to put an explicit die; function immediately after the readfile(); line. This will categorically prevent any further spurious data being output once the file has been sent.
That won't help if the bad data is being sent before the readfile();, but it does rule out half the possible problems in one swoop.
Can't you just tar/gzip/zip the contents and provide a tar/gzip/zip file for download instead ?
Smaller file transfer increase chances of success over http transfer,
and more importantly, you can provide checksum for user to verify against
Try adding error_reporting(0); at the beginning of the script. Just for fun. If you check php.net for readfile, others have reported that this helps.
I have a PHP file that generates xls files using the module found at http://pear.php.net/package/Spreadsheet_Excel_Writer/
I can create the sample document just fine and when I open it, it looks fine.
My next step it to turn it into a downloadable link. To do that, I did this:
$mimeType = "application/vnd.ms-excel";
$file_name = "test.xls";
$file_path = "/tmp/".$file_name;
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-Type: application/force-download");
header("Content-Type: application/octet-stream");
header("Content-Type: application/download");
header('Content-Type: application/' . $mimeType);
header('Content-Length: '.$size);
header("Content-Disposition: attachment;filename=$file_name ");
header("Content-Transfer-Encoding: binary ");
// open the file in binary read-only mode
// display the error messages if the file canĀ“t be opened
$file = & fopen($file_path, 'rb');
if ($file) {
// stream the file and exit the script when complete
fpassthru($file);
exit;
} else {
echo $err;
}
When I download the file however, it contains a lot of garbage data both in Excel and OpenOffice. The diff says that then binary file in the /tmp folder and the downloaded file are different from each other. I'm guessing that it has something to do with the headers or with fpassthru but I haven't had much luck with debugging the issue.
Any ideas on what the problem is?
The multiple Content-Type headers are uncessary. You're essentially saying that the file is a muffin and a pizza and a ford taurus all at the same time. All you need is the application/octet-stream version, unless you want to serve up the exact mime type.
As well, is there any reason you're trying to turn the file handle returned by fopen() into a reference?
Try something simpler:
<?php
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment;filename=$file_name");
readfile("/tmp/test.xls");
exit();
?>
and see if that does any better.
Just make sure that you don't send ANYTHING out to the browser BEFORE the actual file content gets send.
It might just be some php 'error' or even 'notice' that Spreadsheet_Excel_Writer is producing and you don't even see. Or it might be a closing '?>' tag thats followed by s simple space or newline.
I had a similar error where the file that was generated inside the web folders were working. However the delivery using header('...') gave me corrupt files. This was due to a single space at the end of one php file after the closing '?>' tag.
I am using the same library and I just discovered that the files in the library itself are creating the whitespace.
Solution: In the following files remove the whitespace at the end of the file, or remove the ?> closing tag at the end.
Files to edit (all files in the Spreadsheet_Excel_Writer package):
Writer.php
Workbook.php
Worksheet.php
PPS.php
Parser.php
OLE.php
Parser.php
File.php
BIFFWriter.php
Validator.php
Root.php
Add the following code at the top of the page where the excel file is generated
ob_clean();
This would clear all the gibberish data.Also check for any echo statements.If echo statements are present, remove them. The data should always present in format specified by excel package.