Generated xml file is harmful for computer? - php

I did an xml file and force download it by these headers:
header('Content-disposition: attachment; filename="export.xml"');
header('Content-type: application/xml; charset=utf8');
readfile('export.xml');
But before the download I see a dialog that this file can be harmful for my computer? How to get rid of this dialog? Maybe my headers is wrong?
upd Well, can do nothing, I did a test on my test-hosting, u can check it here: site with generation link, and an xml file as is: export.xml

Try changing application/xml to text/xml. Probably your browser thinks that application means executable.

Try this :
<?php
header('Content-disposition: attachment; filename="export.xml"');
header('Content-type: "text/xml"; charset="utf8"');
readfile('export.xml');
?>

Note: This does not solve your issue, however it did solve an issue I had on my computer giving that notice (windows, chrome, apache webserver, PHP 5.4.10). I leave it here for future visitors.
Some browsers do not only look for the headers but also for the "filename" in the URL.
For example if you download a PHP file that contains XML, the browser might identify it as a dangerous file (because it can be executed on your system or is not within some whitelist or what not):
http://example.com/xml-download.php
A simple solution is to make this file not end with .php any longer, for example by adding a ?:
http://example.com/xml-download.php?
And continue with that to even signal the filename that way:
http://example.com/xml-download.php?export.xml
(the last one is not necessary but can be useful especially with some older browsers)

Related

PHP: filesize() stat failed with link

I'm randomly getting download errors from a link on a page. I also simplified the link to a directory for easy usage in emails for users.
On the main page the link looks like this:
a href="http://myPage.com/Mac" target="_blank" id="macDownloadButton" class="downloadbutton w-button">Download Mac version</a>
On my server, that's a directory with an index.php in it which looks like this:
<?php
// mac version
$file="http://www.myPage.com/downloads/myApp_Mac.zip";
$filename="myApp_Mac.zip";
header('Content-Transfer-Encoding: binary');
header('Accept-Ranges: bytes');
header('Content-Length: ' . filesize($file));
header('Content-Encoding: none');
header('Content-Type: application/zip');
header('Content-Disposition: attachment; filename=' . $filename);
readfile($file);
exit;
?>
Again, the reason I do this is so it's a simple link to send to users in email like, "http://myPage.com/Mac" and "http://myPage.com/Windows".
The weird thing is that it mostly works...but sometimes it doesn't.
What am I doing wrong?
It's hard to know precisely what's wrong unless you check for errors on your readfile() call.
But you're invoking your web server from your web server here when you specify a filename starting with http. You're doing
readfile('http://www.myPage.com/downloads/myApp_Mac.zip');
where you could just as easily do
readfile('../downloads/myApp_Mac.zip');
and read the zip file from the local file system to send to your user.
What's more, filesize('../downloads/myApp_Mac.zip'); will yield a numerical value quickly and send it in the Content-Length header. That will allow the browser, by knowing the total size of the file you're sending, to display a meaningful progress bar.
You should remove the Accept-Ranges header; the php program you showed us doesn't honor range requests. If you lie to the browser by telling it you do honor those requests, the browser may get confused and corrupt the downloaded copy of your file. That will baffle your user.
Your Content-Disposition header is perfect. It defines the filename to be used on your user's machine in the downloads folder.
Simple operations are more reliable, and this may help you.
The reason you got stat failed with link as an error message is this: stat(2) is a operating-system call that operates on files in local and mounted file systems.
As previously mentioned by O. Jones you should definitely always use your local file path.
Most of my previous issues have been mostly browser related where I needed to tweak/add a http header, and in one case I needed to send all the HTTP headers in lowercase but I haven't had an issue like that in years. My personal recommendation would be to use a solid download library/function - it will make a noticeable difference to your productivity as well as rule out most browser related issues you may come across.
I have used the codeIgniter download helper for the last 3 years and recommend it for 99% of use cases. At the very least I would recommend your read through it's code - you will probably find a few cases you have never even considered such as clearing the output buffer,mime detection and even a special case for Android 2.1 as well as a few headers you may or may not need.
If all else fails I have no idea what server your running this on but if you continue to have issues I would recommend monitoring which processes your machine is running while paying close attention to ram and IO usage. I've have encountered bad/misbehaving services that run periodically using 99% of my IO or ram for short intervals at a time that caused a few really odd and unexpected errors.

Why downloaded file is not downloaded instead it is shown in browser?

I redirect the visitors in my website from page A to page B. In page B I expect users to get the downloaded PDF file (to be downloaded when page B is loading).
I have taken the code from another article (see a previous question answered here) and my code of page B is the following:
<?php
header('Content-Disposition: attachment; filename=nature.pdf');
header('Content-type: application/pdf');
$fn=fopen("/wp-content/nature.pdf","r");
fpassthru($fn);
?>
The output is not by opening a download dialog box, instead some unreadable characters are displayed in browser such as the following (I have just picked up a small sample below):
%PDF-1.4 %���� 3 0 obj <>stream x���MK1�o�+�$zIg&�� V=T�=Xo����K��i+#V�yx3��඀(BX�pW`
Server: OS Linux; PHP version: 5.2.17
The visitor -> Browser: Firefox; OS: Windows 2000
Is it possible to fail due to the old OS on client side? If not, does anybody know a solution how to force the download? Any help would be highly appreciated.
Thanks.
Try it with the Content-Length header:
ob_clean(); ob_start();
header('Content-Disposition: attachment; filename=nature.pdf');
header('Content-type: application/pdf');
header ("Content-Length: ".filesize("/wp-content/nature.pdf"));
readfile("/wp-content/nature.pdf");
exit;
There was a quirk in the really old browsers when Content-disposition was first being introduced, some of the really old browsers wouldn't show the "Save As" dialogue unless it couldn't recognize the type of file you were trying to open. Try setting the Content-type to nothing (or something unrecognizable), and see if that'll force the older browser to pop the save-as dialogue.
header('Content-type: ');
If that works, then I'd suggest adding in a line of PHP to detect whether or not they're on an old browser before running that line, as modern browsers will use that header to determine what program the file should be opened with.

cakePHP force download of ical

I have the following in a layout file;
<?php
$Filename = "TheEvent.vcs";
header("Content-Type: application/force-download");
header("Content-Disposition: inline; filename=$Filename");
echo $content_for_layout;
?>
Now in the controller I have this layout defined and it is working as I can see the text of my ical file. The only problem is the download isn't being forced on the client.
I followed the following guide though I am using cakePHP 2.0
http://labs.iamkoa.net/2007/09/07/create-downloadable-ical-events-via-cake/
Thanks
Ash
you can use the new 2.0 request features to download right away:
$this->response->download($filename);
http://www.dereuromark.de/2011/11/21/serving-views-as-files-in-cake2/
You can use file() and the other documented ways of serving files - see http://book.cakephp.org/2.0/en/controllers/request-response.html#cakeresponse
This is because the "Content-Type: application/force-download" is used and not recognized by your HTTPd server.
Thus your php script is an unknown type of content and your browser got the signal to download the file and save it :)
The accepted answer got me Method download does not exist.
Here's what worked for me:
$this->response->download($filename);
Note request replaced with response.
Source: class-CakeResponse.html.

simultaneously download on server and on user

I am currently developing an application in PHP in which my server (a dedicated server) must to download a file, and the user should download the file in same time.
Here is an example :
Server start to download a file at a time A.
User wants to download this file at the time A + 3 seconds (for example)
I already solved the problem :"If the user downloads the file faster than the server..". But I didn't know how to make a php script in which the user is gonna to download the full file (it means that the size must be the full size of the file, not the size it's currently downloaded at the time A+3seconds). I already make that :
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.$data['name'].'";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: '.$data['size']);
readfile($remoteFile);
But it doesn't work, the user is gonna download just the size it is currently on the server (which corrupt the file) and not the full file...
If you have any solution, thank you.
You could probably pipe the file manually, by opening the connection and reading until you're past all headers. Then once you've figured out the Content-Length, send that to the user and just echo all remaining data you get (do use flush() and avoid output buffers).
Pseudocode(-ish):
open the file
# grab headers
while you didn't get all HTTP headers:
read more
look for the Content-Length header
send the Content-Length header
# grab the file
while the rest of the request isn't done
read more
send it to the user
flush the buffers
done
Expanding on #Tom answer, you can use cURL to greatly simplify the algorithm by using the CURLOPT_HEADERFUNCTION and CURLOPT_READFUNCTION callbacks - see curl_setopt().
Don't send the content-length header. It's not required assuming you're using http 1.1(your webserver almost certainly does). Drawback is their browser cant show download time/size remaining.

Google Chrome renames file .xml to .download

i have this very simple download page to get an xml file.
the script works ok in firefox/IE. but chrome renames the extension of the file to ".download".
and this happens only to .xml, when you use another extension like .txt it does it without problems.
the body of the html is this:
<body>
descarga
</body>
and the php is this:
header('Content-type: "text/xml"; charset="utf8"');
header('Content-disposition: attachment; filename="example.xml"');
echo "that's it";
its very strange. any solution for this??
This is not a definite answer, just some information for you.
From the bug report:
The downloaded file may get a different name if it is considered potentially dangerous
for your computer (e.g. exe). You should then get an UI prompt in the download shelf
asking you to confirm the download (with the file still downloading in the background).
try removing 'echo "that's it";'
it makes the xml invalid and might confuse the browser.
if it doesn't help, check the actual http headers of both request and response.

Categories