if you need to limit download rate, use this code
<?php
$local_file = 'file.zip';
$download_file = 'name.zip';
// set the download rate limit (=> 20,5 kb/s)
$download_rate = 20.5;
if(file_exists($local_file) && is_file($local_file))
{
header('Cache-control: private');
header('Content-Type: application/octet-stream');
header('Content-Length: '.filesize($local_file));
header('Content-Disposition: filename='.$download_file);
flush();
$file = fopen($local_file, "r");
while(!feof($file))
{
// send the current file part to the browser
print fread($file, round($download_rate * 1024));
// flush the content to the browser
flush();
// sleep one second
sleep(1);
}
fclose($file);}
else {
die('Error: The file '.$local_file.' does not exist!');
}
?>
readfile
(PHP 4, PHP 5)
readfile — ファイルを出力する
説明
int readfile
( string $filename
[, bool $use_include_path
[, resource $context
]] )
ファイルを読んで標準出力に書き出します。
パラメータ
- filename
-
読み込もうとするファイルの名前。
- use_include_path
-
オプションの2番目の引数を使用して、これにTRUEを設定することにより、 include_path のファイルの検索も行うことができます。
- context
-
コンテキストストリームリソース。
返り値
ファイルから読み込んだバイト数を返します。エラーが起こると FALSEを返し、また@readfile()という名前でコールされない限り、 エラーメッセージが表示されます。
注意
ヒント
fopen wrappers が有効の場合、この関数のファイル名として URL を使用することができます。ファイル名の指定方法に関する詳細は fopen()、サポートされる URL プロトコルの種類 については、(例えば)サポートされるプロトコル/ラッパー を参照してください。
注意: コンテキストのサポートは、 PHP 5.0.0 で追加されました。contexts の説明に関しては、 ストリーム 関数 を参照してください。
readfile
yura_imbp at mail dot ru
06-Jun-2008 01:46
06-Jun-2008 01:46
saidketchman at gmail dot com
20-Apr-2008 09:06
20-Apr-2008 09:06
Well I have a solution for anyone who may have had the same problem as I did. Basically the problem was that when trying to use external urls in readfile, or in general trying to use the http:// prefix, only a file placeholder would download in Internet Explorer 7 and Safari (and possibly other browsers with the exception of Firefox).
So basically this is the how I solved the problem. If you are using the code for the Content-Length:
header("Content-Length: ".filesize($filepath));
Then this is the issue. I don't know if it is with only certain servers, but in my case Internet Explorer couldn't get a filesize so it decided to not download any of the file.
The solution was to simply remove this line and give it no filesize and then the browsers would download the whole file.
saidketchman at gmail dot com
18-Apr-2008 04:19
18-Apr-2008 04:19
I'm having an issue with browers except FireFox 2.
I'm trying to use my download script to download from external URLs. Firefox handles it fine and downloads the file but Internet Explorer 7 and Safari 2 only download a placeholder (empty) file.
Any ideas why I can't handle the external URLs? I can swear it was working fine before but then out of no where a user emailed me saying it wasn't working anymore.
This is my code (with a bunch of headers added from posts here):
# Set Format Type
if ($audioformat == "wma")
{
header('Content-type: audio/x-ms-wma');
}
else if ($audioformat == "mp3")
{
header('Content-type: audio/mpeg');
}
$fullpath = $audiopath .$artist. '/' .$filename;
# header info for download
header('Content-Length: ' . filesize($fullpath));
header('Content-Disposition: attachment; filename="' . $filename. '"');
header('Content-Transfer-Encoding: binary');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Expires: 0');
header('Content-Description: Quran Download');
ob_clean();
flush();
# begin download
readfile($fullpath) or die("error!");
exit;
marro at email dot cz
20-Mar-2008 04:17
20-Mar-2008 04:17
My script working correctly on IE6 and Firefox 2 with any typ e of files (I hope :))
function DownloadFile($file) { // $file = include path
if(file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
}
Run on Apache 2 (WIN32) PHP5
uisluu at gmail dot com
19-Mar-2008 05:33
19-Mar-2008 05:33
If you still encounter problems, downloading some types of binary files (.doc, .zip, .xls etc.) such as corrupted bytes (esp. NUL(0x00) bytes replaced by spaces(0x20)) with readfile(), consider the following replacement for use with download.php?file=somefile.ext
<?php
$downloadFolder = '/download/';
if ( !preg_match( '/^(\w)+\.(?!php|html|htm|shtml|phtml)[a-z0-9]{2,4}$/i', $_GET['file'] ) ) {
error_log( "USER REQUESTed for:\t".$_GET['file'] );
die;
};
$filename = ROOT.$downloadFolder.$_GET['file'];
if ( !file_exists($filename) ) {
echo "No file here. [<a href='javascript:self.close();'>close</a>]";
error_log( "USER REQUESTed for non-existing file:\t".$_GET['file'] );
exit;
};
$string = 'Location: '.HOST.$downloadFolder.$_GET['file'];
header($string);
exit;
?>
TimB
12-Feb-2008 07:23
12-Feb-2008 07:23
To anyone that's had problems with Readfile() reading large files into memory the problem is not Readfile() itself, it's because you have output buffering on. Just turn off output buffering immediately before the call to Readfile(). Use something like ob_end_flush().
lcampanis.com
01-Nov-2007 06:55
01-Nov-2007 06:55
If you are trying to force a download from a script and you're having corrupted files, but the download was successful, just make sure you don't have spaces or news lines before and/or after <? script ?>
You can check this by opening your download with a text editor. If you see empty lines or spaces at the top, then that's the problem.
Hayley Watson
18-Oct-2007 01:27
18-Oct-2007 01:27
To avoid the risk of choosing themselves which files to download by messing with the request and doing things like inserting "../" into the "filename", simply remember that URLs are not file paths, and there's no reason why the mapping between them has to be so literal as "download.php?file=thingy.mpg" resulting in the download of the file "thingy.mpg".
It's your script and you have full control over how it maps file requests to file names, and which requests retrieve which files.
But even then, as ever, never trust ANYTHING in the request. Basic first-day-at-school security principle, that.
Sohel Taslim
02-Aug-2007 06:44
02-Aug-2007 06:44
If you use session and Secure Site(SSL- Secure Sockets Layer) to download files using PHP function readfile(), You can get an error message for Inetrnet Explorer (IE).
To avoid this problem try following function.
Hope it can help you. By, sohel62 at yahoo dot com.
<?php
session_cache_limiter('none'); //*Use before session_start()
session_start();
$file = 'ASDFGgg.pdf';
_Download("files_dir/".$file, $file);
function _Download($f_location,$f_name){
header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Length: ' . filesize($f_location));
header('Content-Disposition: attachment; filename=' . basename($f_name));
readfile($f_location);
}
?>
hamdiya dot dev at gmail dot com
18-Jul-2007 01:41
18-Jul-2007 01:41
Using FTP is also possible with readfile.
readfile('ftp://'.$ftp_user.':'.$ftp_pass.'@'.$ftp_host.'/'.$file);
Sinured
17-Jul-2007 10:00
17-Jul-2007 10:00
In response to "grey - greywyvern - com":
If you know the target _can't_ be a remote file (e.g. prefixing it with a directory), you should use include instead.
If the user manages to set the target to some kinda config-file (configuration.php in Joomla!), he will get a blank page - unless readfile() is used. Using include will just behave as a normal request (no output).
For remote files however use readfile().
Kniht
08-Jul-2007 03:27
08-Jul-2007 03:27
@Elliott Brueggeman
What's the point of a user's settings if not to determine their environment? If they have it set a specific way, honor their setting.
Elliott Brueggeman
26-Jun-2007 12:47
26-Jun-2007 12:47
I have noticed some unusual behavior with Internet Explorer 6 that’s worth taking note of. I have a link on my site to a script that outputs an XML file to the browser with the below code:
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.$filename.'"');
@readfile($file);
When the popular IE setting “Reuse Window for Launching Shortcuts” is unchecked (access this setting in the Tools Menu > Internet Options > Advanced Tab) this script will output the file to the browser and open it in a different window if the user clicks the open button on the IE prompt. However, if this setting is checked, and browser windows are being re-used, then it will open up on top of the page where the link was clicked to access the script.
If I instead set the html link target option to be “_blank”, the script will open up in a new window as expected if the “Reuse Window for Launching Shortcuts” is checked. But, if the setting is unchecked, the output XML file will open up in a new window and there will be another blank window also open that has the address of the script, in addition to our original window.
This is far from ideal, and there is no way of knowing whether users have this option checked or not. We are stuck with the distinct possibility of half of our visitors seeing either an annoying third blank window being opened or the script writing over their original window, depending on their “Reuse Window for Launching Shortcuts” setting.
chad 0x40 herballure 0x2e com
17-May-2007 11:53
17-May-2007 11:53
In reply to herbert dot fischer at NOSPAM dot gmail dot com:
The streams API in PHP5 tries to make things as efficient as possible; in php-5.1.6 on Linux, fpassthru is faster than 'echo fread($fp, 8192)' in a loop, and readfile is even faster for files on disk. I didn't benchmark further, but I'd be willing to bet non-mmap'able streams still win because they can loop in C instead of PHP.
MasterQ at 127 dot 0 dot 0 dot 1
23-Apr-2007 11:40
23-Apr-2007 11:40
Do not forgot to call
exit;
after readfile else you will get trouble with the file checksum of the file, because there will be added \n at the end of the script.
mAu
11-Oct-2006 04:25
11-Oct-2006 04:25
Instead of using
<?php
header('Content-Type: application/force-download');
?>
use
<?php
header('Content-Type: application/octet-stream');
?>
Some browsers have troubles with force-download.
ericlaw1979 at hotmail dot com
07-Jun-2006 04:18
07-Jun-2006 04:18
It is an error to send post-check=0. See http://blogs.msdn.com/ie/archive/2006/06/01/613132.aspx
irek at eccomes dot de
30-Mar-2006 01:35
30-Mar-2006 01:35
Related to francesco at paladinux: HOW TO RESOLVE EXPLORER SAVE PROBLEM IN FORCE-DOWNLOAD.
To use "application/octetstream" instead of "application/octet-stream" may help in some cases. But the solution of this problem in most cases is to use
header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
See also message of ctemple below. This helps not only for pdf but also generally.
oryan at zareste dot com
27-Nov-2005 12:18
27-Nov-2005 12:18
As Grey said below: Readfile will send users un-executed PHP files, which makes it easy to exploit vulnerabilities. It's common - and easy - to use GET variables pointing to downloadable files, like script.php?v=web/file.mov , but this lets users to change it to script.php?v=index.php and get damaging info. Even POST variables can be exploited this way if the user's on a custom browser.
To keep secure, limit downloadable files to one directory, like 'web/', so that script.php?v=file.mov will send web/file.mov, and scan the variable for '..' and 'php' to make sure users can't go into other directories, or open php files you may have stupidly put under web/. This should cover all the bases.
peavey at pixelpickers dot com
20-Oct-2005 10:38
20-Oct-2005 10:38
A mime-type-independent forced download can also be conducted by using:
<?
(...)
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // some day in the past
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Content-type: application/x-download");
header("Content-Disposition: attachment; filename={$new_name}");
header("Content-Transfer-Encoding: binary");
?>
Cheers,
Peavey
planetmaster at planetgac dot com
17-Oct-2005 03:44
17-Oct-2005 03:44
Using pieces of the forced download script, adding in MySQL database functions, and hiding the file location for security was what we needed for downloading wmv files from our members creations without prompting Media player as well as secure the file itself and use only database queries. Something to the effect below, very customizable for private access, remote files, and keeping order of your online media.
<?
# Protect Script against SQL-Injections
$fileid=intval($_GET[id]);
# setup SQL statement
$sql = " SELECT id, fileurl, filename, filesize FROM ibf_movies WHERE id=' $fileid' ";
# execute SQL statement
$res = mysql_query($sql);
# display results
while ($row = mysql_fetch_array($res)) {
$fileurl = $row['fileurl'];
$filename= $row['filename'];
$filesize= $row['filesize'];
$file_extension = strtolower(substr(strrchr($filename,"."),1));
switch ($file_extension) {
case "wmv": $ctype="video/x-ms-wmv"; break;
default: $ctype="application/force-download";
}
// required for IE, otherwise Content-disposition is ignored
if(ini_get('zlib.output_compression'))
ini_set('zlib.output_compression', 'Off');
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: video/x-ms-wmv");
header("Content-Type: $ctype");
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".@filesize($filename));
set_time_limit(0);
@readfile("$fileurl") or die("File not found.");
}
$donwloaded = "downloads + 1";
if ($_GET["hit"]) {
mysql_query("UPDATE ibf_movies SET downloads = $donwloaded WHERE id=' $fileid'");
}
?>
While at it I added into download.php a hit (download) counter. Of course you need to setup the DB, table, and columns. Email me for Full setup// Session marker is also a security/logging option
Used in the context of linking:
http://www.yourdomain.com/download.php?id=xx&hit=1
[Edited by sp@php.net: Added Protection against SQL-Injection]
antispam [at] rdx page [dot] com
21-Sep-2005 06:14
21-Sep-2005 06:14
Just a note: If you're using bw_mod (current version 0.6) to limit bandwidth in Apache 2, it *will not* limit bandwidth during readfile events.
24-Aug-2005 06:39
here is a nice force download scirpt
$filename = 'dummy.zip';
$filename = realpath($filename);
$file_extension = strtolower(substr(strrchr($filename,"."),1));
switch ($file_extension) {
case "pdf": $ctype="application/pdf"; break;
case "exe": $ctype="application/octet-stream"; break;
case "zip": $ctype="application/zip"; break;
case "doc": $ctype="application/msword"; break;
case "xls": $ctype="application/vnd.ms-excel"; break;
case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
case "gif": $ctype="image/gif"; break;
case "png": $ctype="image/png"; break;
case "jpe": case "jpeg":
case "jpg": $ctype="image/jpg"; break;
default: $ctype="application/force-download";
}
if (!file_exists($filename)) {
die("NO FILE HERE");
}
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: $ctype");
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".@filesize($filename));
set_time_limit(0);
@readfile("$filename") or die("File not found.");
herbert dot fischer at NOSPAM dot gmail dot com
22-Jul-2005 12:01
22-Jul-2005 12:01
readfile and fpassthru are about 55% slower than doing a loop with "feof/echo fread".
chrisputnam at gmail dot com
30-Jun-2005 05:44
30-Jun-2005 05:44
In response to flowbee@gmail.com --
When using the readfile_chunked function noted here with files larger than 10MB or so I am still having memory errors. It's because the writers have left out the all important flush() after each read. So this is the proper chunked readfile (which isn't really readfile at all, and should probably be crossposted to passthru(), fopen(), and popen() just so browsers can find this information):
<?php
function readfile_chunked($filename,$retbytes=true) {
$chunksize = 1*(1024*1024); // how many bytes per chunk
$buffer = '';
$cnt =0;
// $handle = fopen($filename, 'rb');
$handle = fopen($filename, 'rb');
if ($handle === false) {
return false;
}
while (!feof($handle)) {
$buffer = fread($handle, $chunksize);
echo $buffer;
ob_flush();
flush();
if ($retbytes) {
$cnt += strlen($buffer);
}
}
$status = fclose($handle);
if ($retbytes && $status) {
return $cnt; // return num. bytes delivered like readfile() does.
}
return $status;
}
?>
All I've added is a flush(); after the echo line. Be sure to include this!
Hernn Pereira
18-May-2005 03:21
18-May-2005 03:21
I saw in previous contributed notes that in content-disposition the file is not a quoted-string, there is no problem if the filename have no spaces but if it has in IE it works but in Firefox not.
The RFC 2616 puts as an example this:
Content-Disposition: attachment; filename="fname.ext"
You can see http://www.faqs.org/rfcs/rfc2616.html section "19.5.1 Content-Disposition" for more details.
The correct header then is this:
header("Content-Disposition: attachment; filename=\"$filename\"");
Philipp Heckel
11-May-2005 08:58
11-May-2005 08:58
To use readfile() it is absolutely necessary to set the mime-type before. If you are using an Apache, it's quite simple to figure out the correct mime type. Apache has a file called "mime.types" which can (in normal case) be read by all users.
Use this (or another) function to get a list of mime-types:
<?php
function mimeTypes($file) {
if (!is_file($file) || !is_readable($file)) return false;
$types = array();
$fp = fopen($file,"r");
while (false != ($line = fgets($fp,4096))) {
if (!preg_match("/^\s*(?!#)\s*(\S+)\s+(?=\S)(.+)/",$line,$match)) continue;
$tmp = preg_split("/\s/",trim($match[2]));
foreach($tmp as $type) $types[strtolower($type)] = $match[1];
}
fclose ($fp);
return $types;
}
# [...]
# read the mime-types
$mimes = mimeTypes('/usr/local/apache/current/conf/mime.types');
# use them ($ext is the extension of your file)
if (isset($mimes[$ext])) header("Content-Type: ".$mimes[$ext]);
header("Content-Length: ".@filesize($fullpath));
readfile($fullpath); exit;
?>
If you do not want to read from the mime.types file directly, you can of course make a copy in another folder!
Cheers Philipp Heckel
flobee at gmail dot com
07-May-2005 03:17
07-May-2005 03:17
regarding php5:
i found out that there is already a disscussion @php-dev about readfile() and fpassthru() where only exactly 2 MB will be delivered.
so you may use this on php5 to get lager files
<?php
function readfile_chunked($filename,$retbytes=true) {
$chunksize = 1*(1024*1024); // how many bytes per chunk
$buffer = '';
$cnt =0;
// $handle = fopen($filename, 'rb');
$handle = fopen($filename, 'rb');
if ($handle === false) {
return false;
}
while (!feof($handle)) {
$buffer = fread($handle, $chunksize);
echo $buffer;
if ($retbytes) {
$cnt += strlen($buffer);
}
}
$status = fclose($handle);
if ($retbytes && $status) {
return $cnt; // return num. bytes delivered like readfile() does.
}
return $status;
}
?>
TheDayOfCondor
27-Apr-2005 10:24
27-Apr-2005 10:24
I think that readfile suffers from the maximum script execution time. The readfile is always completed even if it exceed the default 30 seconds limit, then the script is aborted.
Be warned that you can get very odd behaviour not only on large files, but also on small files if the user has a slow connection.
The best thing to do is to use
<?
set_time_limit(0);
?>
just before the readfile, to disable completely the watchdog if you intend to use the readfile call to tranfer a file to the user.
comicforum at lelon dot net
23-Apr-2005 03:22
23-Apr-2005 03:22
The problem with using readfile on large files isn't caused by your memory_limit setting. Setting it to 4x the size of the file can still cause the file to be truncated. Use the readfile_chunked found below.
TheDayOfCondor
21-Apr-2005 01:10
21-Apr-2005 01:10
Beware - the chunky readfile suggested by Rob Funk can easily exceed you maximum script execution time (30 seconds by default).
I suggest you to use the set_time_limit function inside the while loop to reset the php watchdog.
php at cNhOiSpPpAlMe dot net
22-Feb-2005 11:25
22-Feb-2005 11:25
For some reason, readfile seems to reset the file's modified time (filemtime). Using fopen and fpassthru avoids this.
<?
$fp = @fopen($file,"rb");
fpassthru($fp);
fclose($fp);
?>
(PHP version: 4.3.10)
Rob Funk
05-Jan-2005 03:31
05-Jan-2005 03:31
When using readfile() with very large files, it's possible to run into problems due to the memory_limit setting; apparently readfile() pulls the whole file into memory at once.
One solution is to make sure memory_limit is larger than the largest file you'll use with readfile(). A better solution is to write a chunking readfile. Here's a simple one that doesn't exactly conform to the API, but is close enough for most purposes:
<?php
function readfile_chunked ($filename) {
$chunksize = 1*(1024*1024); // how many bytes per chunk
$buffer = '';
$handle = fopen($filename, 'rb');
if ($handle === false) {
return false;
}
while (!feof($handle)) {
$buffer = fread($handle, $chunksize);
print $buffer;
}
return fclose($handle);
}
?>
Justin Dearing
30-Dec-2004 08:38
30-Dec-2004 08:38
Word for word copy of a comment on session_start() posted by Kevin. Might be relevant here.
If you're having a problem with a file download script not working with IE if you call session_start() before sending the file, then try adding a session_cache_limiter() call before session_start().
I use session_cache_limiter('none'), but 'public' and 'private' seem to fix the problem too; use whichever suits your application.
grey - greywyvern - com
30-Dec-2004 01:29
30-Dec-2004 01:29
readfile() makes a handy include for what you know should be plain HTML or text. Sloppy and/or lazy scripters can introduce security risks when using include() and require() in such a way that users can tell the script what file(s) to include. This is because the PHP code contained in any file they refer to is executed with PHP's privledges.
With readfile(), any PHP code is passed to the output buffer as-is, without being executed.
ctemple at n-able dot com
16-Nov-2004 05:12
16-Nov-2004 05:12
If you're passing files through a script, you may want to include this header:
header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
Otherwise, some programs such as Adobe Reader may have problems opening files directly.
<?php
header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header ("Content-Type: application/octet-stream");
header ("Content-Length: " . filesize($theFile));
header ("Content-Disposition: attachment; filename=$theFileName");
readfile($theFile);
?>
Thomas Jespersen
25-Oct-2004 10:06
25-Oct-2004 10:06
Remember if you make a "force download" script like mentioned below that you SANITIZE YOUR INPUT!
I have seen a lot of download scripts that does not test so you are able to download anything you want on the server.
Test especially for strings like ".." which makes directory traversal possible. If possible only permit characters a-z, A-Z and 0-9 and make it possible to only download from one "download-folder".
flobee at gmail dot com
04-Oct-2004 09:33
04-Oct-2004 09:33
you may try the statemants below with
header("Content-Type: application/octet-stream");
// insteat OF: header('Content-Type: application/force-download');
MAC OSX / IE: has problems to find the right mime type and do not accept spaces in filenames. then all plattforms should work
nobody at localhost
23-Sep-2004 06:03
23-Sep-2004 06:03
If you want to force a download:
<?php
$file = '/var/www/html/file-to-download.xyz';
header('Content-Description: File Transfer');
header('Content-Type: application/force-download');
header('Content-Length: ' . filesize($filename));
header('Content-Disposition: attachment; filename=' . basename($file));
readfile($file);
?>
kschenke at datafreight dot com
16-Oct-2003 01:43
16-Oct-2003 01:43
If your site visitors are having problems with Internet Explorer downloading files over an SSL connection, see the manual page for the session_cache_limiter() function.