I have a php file to handle file downloads in a website. It is working as it should.
if($_GET['type'] == "pdf") {
$dir = __DIR__ . "/../src/files/pdf/" . $_GET['name'];
if(file_exists($dir)) {
header('Content-Description: File Transfer');
header('Content-Type: application/pdf');
header('Content-Disposition: attachment; filename='.basename($dir));
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($dir));
readfile($dir);
exit;
} else {
$_SESSION['err'] = "No file found";
header("location: index.php");
exit;
}
}
Now I want to count the times that a file is being downloaded. So I have a method inside a class in a different php file. I usually include this php file and create an instance of this class when I need to use some of its methods. The problem is that if I include the file in my file-handler.php the header will be different and the file would be corrupted when downloaded.
So, how can I use the method of this file in the file-handler without affecting the header?
If you include your counting file before at the top of file-hander.php file before you output your download headers then the download headers will replace whatever headers were output before.
Additionally. your counting file must not output any content at all as the client is expecting the file you are downloading and nothing else.
I agree 100% with #rjdown, your code creates a massive potential security issue. I would not put it on a server connected to an untrusted network (Like The Internet). If you would appreciate help making it secure then please ask that question.
Related
I'm at a bit of a loss as to why this folder is not being found. I have a script that, after searching a database to find the $filename of someone's purchase based on a stored random code, should simply return their file. My code looks like this (including the trailing end of the db query):
$stmt_2 -> bind_result($filename);
$stmt_2 -> fetch();
$stmt_2 -> close();
// For .zip files
$filepath='/media-files/Label/' . $filename;
if (headers_sent()) {
echo 'HTTP header already sent';
} else {
if (!is_file($filepath)) {
header($_SERVER['SERVER_PROTOCOL'].' 404 Not Found');
echo 'File not found.';
} else if (!is_readable($filepath)) {
header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden');
echo 'File not readable.';
} else {
header('Content-Type: application/zip');
header('Content-Disposition: attachment; filename="' . basename($filepath) . '"');
header('Content-Length: ' . filesize($filepath));
readfile($filepath);
exit;
}
}
When I run this code, I receive "File not found." so !is_file($filepath) is where it is getting tripped up -- However, the path is correct and the zip is definitely there, so I'm not sure what is wrong here.
In terms of debugging, I've tried removing the checks, going directly to the headers and readfile, which returns an empty zip folder. What does work is if I navigate directly to the file by URL...
UPDATE
The file path issue has been fixed, but I am still not able to download the file. In all attempts I get either ERR_INVALID_RESPONSE or if I try to brute force download the file, it returns an empty file. I tried using these headers with no success:
header_remove();
ob_end_clean();
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $filename . '"');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));
readfile($filepath);
ob_end_flush();
exit;
They are large audio files, which appears to be causing the issue...
You have two types of pathes:
(a) The path of an URL. You have a web-adress which defines the root of your webpage.
e.g. https://www.stackoverflow.com is the start of the site. If you adress /questions at this site you always have the path https://www.stackoverflow.com/questions
(b) The path of the drive where the webpage is located. It is the filesystem-root.
e.g. /home/httpd/html/MyWebPage/questions
If you try to use /questions in (b) it will fail because you need the whole path.
So, this said you need to know where '/media-files/Label/'.$filename is located. It seems to me that /media-files is not at root-level of your filesystem (b).
Maybe it is at the web-root but this is not enough for your system to find the file. Therefore you need something like this:
'/root/httpd/MyWebPage/media-files/Label/'.$filename
Nico Haase was absolutely correct, this is an issue with misunderstanding of paths. Here is a link to an article that should clear things up:
https://phpdelusions.net/articles/paths
Currently your script is trying to find the file in:
/media-files/Label/file.zip
not:
/var/www/myproject/media-files/Label/file.zip
The linked article should provide you with all the neccesary information.
TLDR;
use:
$filepath=$_SERVER['DOCUMENT_ROOT'].'/media-files/Label/' . $filename;
UPDATE
With the file size issue it might be that PHP runs out of allowed memory when trying to load the whole file. We could try something like:
flush();
$file = fopen($filepath, "r");
while(!feof($file)) {
// send the current file part to the browser
print fread($file, round(10 * 1024));
// flush the content to the browser
flush();
}
fclose($file);
There are some issues with flush() but it's a good shot I think. You can have a read on: https://www.php.net/manual/en/function.flush
Other then that there is always the possibility to split the file into smaller chunks.
I am trying to download files from server that I uploaded via html form.
If I try to download files that I had uploaded everything works good but if I try to download other people's files they are broken (0 kb size).
The download link is generated by a page for every user:
$_SESSION['u'] = $username;
echo ''.$entry.'';
If I echo($_SESSION['u']) I have the right username referred to user which I want to get the files.
And download.php is:
session_start();
$u = $_SESSION['u'];
$file = basename($_GET['file']);
$percorso = '/home/fosco/documents/'.$u.'/'.$file;
if(!$file){ // file does not exist
die('file not found');
} else {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($percorso).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($percorso));
readfile($percorso);
exit;
}
Where is the mistake?
I don't understand why I am able to download certain file and not other.
I also tried changing permissions to 777 but nothing changed.
Moveing files to public_html, if I go to the public url the files are not broken but anyway I am not able to download it trought download.php
If I download the broken file from ftp it is ok, not broken.
Thanks for the help.
Fosco
I'm guessing that the file you request does not actually exists.
Your if-statement only checks if the variable $file is not false/empty/zero.
For checking if a file exists use the function file_exists()
I am getting an error. I am trying to read an attachment. It does work perfectly on most files but on few I get this error. The files have the same format and the location it is trying to read from is correct. I have tested it on windows explorer. This is way i am reading it:
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . $filename .'"');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($attachment_location));
ob_clean();
flush();
readfile($attachment_location);
exit();
This is the error I get
Warning: readfile(C:\Users\Public\asdgasd\4sf3\Suppliers\saf342\Files\Revit\2016\Seinätikas.rfa): failed to open stream: No such file or directory in C:\xampp\htdocs\web\downloadattachment.php on line 58
as Johndodo kind of references, you need to ensure that PHP is operating with the correct internal character set and encoding, so that it recognises the way the file is stored in your (windows) directory structure. See what character set your windows system is using and then use that same character set for PHP internal encoding.
Edit:
Logic process would be to:
Open file reference from email and convert the filename $var into the correct encoding.
Do the file_exists check
Proceed to pass the $var to the readfile function to open.
could you please provide the content of $filename and $attachment_location.
Could you please extend your code with this:
if (file_exists($file)) {
Your code goes here
....
exit();
}
Further things to check: Is the file readable by the webserver user (if you're using a websever).
Does the problem have an effect on files in which there are special chars in the filename ?
You should put a checker for see if the file exists in your filesystem.
if (!file_exists($filePath)) {
// Throw an exception or do something for alert the wrong path.
throw new Exception('File with this path is not available.');
} else {
// Do your amazing stuff here
}
I'm trying to redirect my user after they download my files. I manage to make them download the file but I cant redirect them to the url. Pleas help
<?php
//Search for file using GET
if(isset ($_GET['file']) && ($_GET['url'])){
$file = $_GET['file'];
$link = $_GET['url'];
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;
} else {
echo "Why are you here?";
}
//file downloaded now go to link
header('Location: $link');
}
?>
How do I fix this?
No, it's not possible what you do and want.
your redirect will be executed if the GET parameters file and url exist and the physic file not exists.
if GET parameters file and url exist and the physic file exists, you exit after the download (script stops with further execution).
Why not a redirect from html code to your download script. Many downloads site work with.
As pseudo, redirect.html:
html
head
redirect to your forced download file FOO after X seconds with e.g. meta tag
/head
body
Download of file FOO starts in X seconds
/body
/html
In the case above you don't need the php redirect, only the force download. Set the redirect script not in the same file as your download script!
remove exit; from true part and try to put this instead
header('Location: $link');
You got the wrong quotes:
header("Location: $link"); // note the "
Or do concatenation:
header('Location: '.$link);
By the way, the way you're doing what you want to do is basically a good way to let anyone with HTTP 80 access to this script to download any file on your server. What if $file = '/etc/passwd';?
I have a script which automatically downloads a file.
It works perfectly to download the file, but the problem is that 50% or more of the time, it downloads a corrupt file.
Usually deleting and downloading again works, but not always.
How can I make this download 100% of the time perfectly always, not corrupted?
The file size changes depending on the file being downloaded.
<?php
// Automatically Start File Download
if (isset($_GET['filename'])):
$filename = $_GET['filename'];
$domain = "http://www.domain.com";
$filepath = "/addons/downloads/websites/";
//BUILD THE FILE INFORMATION
$file = $domain . $filepath . $filename;
// echo $filepath . $filename;
// echo $file;
//CREATE/OUTPUT THE HEADER
if (file_exists("/home/unrealde/public_html/ebook/domain.com/".$filepath . $filename)):
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
else:
$errorMsg = "<b>Download Error: File $filename Doesnt Exist!</b> <br />Please Contact <a href='mailto:support#domain.com'>support#domain.com</a>";
endif;
echo $errorMsg;
else:
// don't download any file
endif;
?>
My hunch is that something in your program is outputting some data other than the file itself.
Have you looked at the corrupt file in a binary editor and compared it with a non-corrupt version? What you'll find is that either at the beginning or the end of the file, you have some unexpected data, and this is what is corrupting the file.
If you look that file this way, it may become very obvious what the problem is. For example, you may have the file, followed by an error message, in which case maybe your line echo $errorMsg; is the culprit.
Alternatively you may have some blank space. This could also be the same error message, or it could be that your PHP tags have blank lines above or below them, which are being printed.
My first suggestion would be, since the program is effectively finished when the file is output, to put an explicit die; function immediately after the readfile(); line. This will categorically prevent any further spurious data being output once the file has been sent.
That won't help if the bad data is being sent before the readfile();, but it does rule out half the possible problems in one swoop.
Can't you just tar/gzip/zip the contents and provide a tar/gzip/zip file for download instead ?
Smaller file transfer increase chances of success over http transfer,
and more importantly, you can provide checksum for user to verify against
Try adding error_reporting(0); at the beginning of the script. Just for fun. If you check php.net for readfile, others have reported that this helps.