Jamie Balfour

Welcome to my personal website.

Find out more about me, my personal projects, reviews, courses and much more here.

Part 5.6Transferring a file with PHP

Part 5.6Transferring a file with PHP

For a website which allows downloads of specific files for each user there need to be restrictions. For instance, there might be an application only John Smith is permitted to download and another that only Joe Bloggs is allowed to open. It may be good to implement a system like the one on this site where registered and accepted users are permitted to download software.

With PHP, this can be achieved by using the PHP header method. This article will discuss reading files, downloading them and the htaccess methods of the server.

Reading the bytes from the file

The first step is to read the file in to the script. It should not go into a variable:

PHP
<?php
  $filename = "myFile.txt";
	readfile($filename);
?>
		

Generating a file

The word generating is used somewhat loosely here as the file is technically not generated. The file is provided as a byte stream. There is more about byte steams on the Wikipedia page.

In the case where using simple download restrictions (such as .htaccess) to prevent unauthorised users downloading an application, PHP can be used to circumvent any protection provided.

PHP runs on the server, so the server is in control of what files the PHP page can access. Below is a sample of the header of a page that is prepared to download:

PHP
<?php
	header("Content-Description: File Transfer");
	header("Content-Disposition: attachment; filename='myfile.msi'");
	header("Content-Type: application/x-ole-storage");
?>
		

The header of the page is sent as raw HTTP data that the user's system can interpret and the server can interpret. By placing this at the top, the page tricks the browser into thinking that it is downloading an x-ole-storage file. But if this is run, nothing will download. The combination of the header and the readfile parts are what make it work. With the same sample myFile.txt the Content-Type header would be declared using the text MIME (Multipurpose Internet Mail Extensions) type (text/plain) and then read from the file.

PHP
<?php
	header("Content-Description: File Transfer");
	header("Content-Disposition: attachment; filename=".basename($file));
	header("Content-Type: text/plain");

	ob_clean();
	flush();

	readfile("myFile.txt");
	exit;
?>
		

The flush and ob_clean commands clean (or flush) the output buffer.

And that is how to emulate a file download in PHP.

.htaccess (Apache only)

One of the best things about the way that web servers work is the way that they can be controlled. Creating a simple file that specifies a few lines in can change the way part of a server works.

.htaccess is beyond the scope of this tutorial, but it will cover just a bit about it.

.htaccess can be used to restrict access from everything except the server and FTP (File Transfer Protocol). This means that only users who are permitted to download files if they are logged in can do so.

PHP
<?php
	$loggedIn = ""
	if (isset($_SESSION["loggedIn")) {
		$loggedIn = $_SESSION["loggedIn"];
	}
	if ($loggedIn == true)	{
		header("Content-Description: File Transfer");
		header("Content-Disposition: attachment; filename=".basename($file));
		header("Content-Type: text/plain");

		ob_clean();
		flush();

		readfile("myFile.txt");
		exit;
	}
?>
		

And now the .htaccess file that resides in the directory that is not to be accessible.

.htaccess
Order Deny,Allow
Deny from all
		

Placing that in the root of the directory structure will prevent access to this directory and any sub directories, yet PHP can still get around this.

Feedback 👍
Comments are sent via email to me.