Forcing to download a file using PHP

Asked 23/9, 2009 at 12:6 Answered 9/8, 2018 at 12:38

I have a CSV file on my server. If a user clicks on a link it should download, but instead it opens up in my browser window.

My code looks as follows

<a href="files/csv/example/example.csv">
    Click here to download an example of the "CSV" file
</a>

It's a normal webserver where I have all of my development work on.

I tried something like:

<a href="files/csv/example/csv.php">
    Click here to download an example of the "CSV" file
</a>

Now the contents of my csv.php file:

header('Content-Type: application/csv');
header('Content-Disposition: attachment; filename=example.csv');
header('Pragma: no-cache');

Now my issue is it's downloading, but not my CSV file. It creates a new file.

Edgar answered 23/9, 2009 at 12:6 Comment(5)

And how does any of this relate to PHP? – Moccasin 23/9, 2009 at 12:14

You forget to output the file’s contents. – Electro 23/9, 2009 at 12:42

updated my answer below with a solution to your new issue – Fledgy 23/9, 2009 at 12:43

is this possible without using php? – Bowerman 24/4, 2014 at 9:46

You can find another good answer here: #10934522 – Bays 13/6, 2014 at 14:56

115

.htaccess Solution

To brute force all CSV files on your server to download, add in your .htaccess file:

AddType application/octet-stream csv

PHP Solution

header('Content-Type: application/csv');
header('Content-Disposition: attachment; filename=example.csv');
header('Pragma: no-cache');
readfile("/path/to/yourfile.csv");

Fledgy answered 23/9, 2009 at 12:9 Comment(6)

Why not just change the Content-Type line to Content-Type: application/octet-stream ? It seems a bit redundant to do it in an .htaccess when you're overriding it anyway. – Countryside 22/10, 2009 at 21:7

that was the inital answer to the question, the question then changed so the second part was the answer to that. – Fledgy 28/10, 2009 at 8:34

This doesn't work in all browsers, with all filetypes. For example, it won't work on the latest (Aug 2013) version of Chrome with PDF files and perhaps csv files too. See my answer for how to get this working in a more reliable way. – Midsummer 5/8, 2013 at 14:9

Great Answer! I would suggest changing 'Content-Type: application/csv' to 'Content-Type: application/octet-stream' as suggested by @Powerlord. It will be a more well-rounded answer and will help others who are not just interested in having their CSVs downloaded. Just a suggestion! Thanks! – Warnke 25/9, 2016 at 6:39

Can you please tell me how, if it is a zip file?? – Plunkett 23/2, 2017 at 8:54

FYI the standard HTTP Content-Type header for CSV is text/csv, not application/csv. – Nostradamus 2/7, 2019 at 10:54

Or you can do this using HTML5. Simply with

<a href="example.csv" download>download not open it</a>

Danie answered 12/2, 2014 at 15:51 Comment(4)

Unfortunately this isn't supported in IE or Safari: caniuse.com/#feat=download – Moonstone 15/1, 2015 at 16:8

The best part of adding download attribute is that it will force to download any type of file. – Lovettalovich 4/2, 2017 at 18:53

It's finally supported in Safari! – Selemas 3/4, 2017 at 10:13

Love this. Saved me another night trying to figure out how to work with those damn php download headers. – Malvasia 30/4, 2019 at 19:48

This cannot be done reliably, since it's up to the browser to decide what to do with an URL it's been asked to retrieve.

You can suggest to the browser that it should offer to "save to disk" right away by sending a Content-disposition header:

header("Content-disposition: attachment");

I'm not sure how well this is supported by various browsers. The alternative is to send a Content-type of application/octet-stream, but that is a hack (you're basically telling the browser "I'm not telling you what kind of file this is" and depending on the fact that most browsers will then offer a download dialog) and allegedly causes problems with Internet Explorer.

Read more about this in the Web Authoring FAQ.

Edit You've already switched to a PHP file to deliver the data - which is necessary to set the Content-disposition header (unless there are some arcane Apache settings that can also do this). Now all that's left to do is for that PHP file to read the contents of the CSV file and print them - the filename=example.csv in the header only suggests to the client browser what name to use for the file, it does not actually fetch the data from the file on the server.

Rajiv answered 23/9, 2009 at 12:16 Comment(2)

Using "Content-disposition: attachment" has worked consistently for us in all FF versions, IE6 and IE7. – Yawata 23/9, 2009 at 12:31

Typically you'll only run into issues with content-disposition if you have a default action for downloaded files of a type set for your browser, otherwise browsers will typically follow the recommendation (for more modern versions, ymmv with old/outdated browser versions). – Mychal 21/11, 2018 at 17:28

Here is a more browser-safe solution:

    $fp = @fopen($yourfile, 'rb');

    if (strstr($_SERVER['HTTP_USER_AGENT'], "MSIE"))
{
    header('Content-Type: "application/octet-stream"');
    header('Content-Disposition: attachment; filename="yourname.file"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header("Content-Transfer-Encoding: binary");
    header('Pragma: public');
    header("Content-Length: ".filesize($yourfile));
}
else
{
    header('Content-Type: "application/octet-stream"');
    header('Content-Disposition: attachment; filename="yourname.file"');
    header("Content-Transfer-Encoding: binary");
    header('Expires: 0');
    header('Pragma: no-cache');
    header("Content-Length: ".filesize($yourfile));
}

fpassthru($fp);
fclose($fp);

Talon answered 3/11, 2009 at 14:26 Comment(0)

Configure your server to send the file with the media type application/octet-stream.

Electro answered 23/9, 2009 at 12:8 Comment(0)

This means that your browser can handle this file type.

If you don't like it, the easiest method would be offering ZIP files. Everyone can handle ZIP files, and they are downloadable by default.

Substantive answered 23/9, 2009 at 12:9 Comment(0)

Nice clean solution:

<?php
    header('Content-Type: application/download');
    header('Content-Disposition: attachment; filename="example.csv"');
    header("Content-Length: " . filesize("example.csv"));

    $fp = fopen("example.csv", "r");
    fpassthru($fp);
    fclose($fp);
?>

Justitia answered 1/12, 2011 at 21:59 Comment(2)

What makes it nice and clean? – Test 28/3, 2018 at 20:14

I would just use readfile() From the docs

If you just want to dump the contents of a file to the output buffer, without first modifying it or seeking to a particular offset, you may want to use the readfile(), which saves you the fopen() call.

– Mychal 21/11, 2018 at 17:31

A previous answer on this page describes how to use .htaccess to force all files of a certain type to download. However, the solution does not work with all file types across all browsers. This is a more reliable way:

<FilesMatch "\.(?i:csv)$">
  ForceType application/octet-stream
  Header set Content-Disposition attachment
</FilesMatch>

You might need to flush your browser cache to see this working correctly.

Midsummer answered 5/8, 2013 at 14:8 Comment(1)

If you change the contenttype your pc will not longer know that this is a csv file, and your default csv programm is not offered for opening this file. – Pisgah 4/3, 2022 at 10:46

If you are doing it with your application itself... I hope this code helps.

HTML

In href -- you have to add download_file.php along with your URL:

<a class="download" href="'/download_file.php?fileSource='+http://www.google.com/logo_small.png" target="_blank" title="YourTitle">

PHP

/* Here is the Download.php file to force download stuff */

<?php
    $fullPath = $_GET['fileSource'];
    if($fullPath) {
        $fsize = filesize($fullPath);
        $path_parts = pathinfo($fullPath);
        $ext = strtolower($path_parts["extension"]);

        switch ($ext) {
            case "pdf":
                header("Content-Disposition: attachment; filename=\"" . $path_parts["basename"]."\""); // Use 'attachment' to force a download
                header("Content-type: application/pdf"); // Add here more headers for diff. extensions
                break;

            default;
                header("Content-type: application/octet-stream");
                header("Content-Disposition: filename=\"" . $path_parts["basename"]."\"");
        }

        if($fsize) { // Checking if file size exist
            header("Content-length: $fsize");
        }
        readfile($fullPath);
        exit;
    }
?>

Siderosis answered 18/9, 2014 at 6:20 Comment(4)

This model could create a major security flaw. An attacker can use it to download your source file! Use it with caution!!!! – Stanch 16/8, 2015 at 18:37

This looks like some old download script I've written years ago and you're right a hacker could try to find the location of the file. Input validation is also difficult this way. A few days ago I re-published an article with a second examples that is using a database with a hash ID to obtain the file name. It's not a perfect solution, but it points into the right redirection: web-development-blog.com/archives/php-download-file-script – Piddling 4/2, 2016 at 7:12

Talking about Null byte injection? – Nelrsa 28/3, 2018 at 20:18

Despite the need for suggested additions for security, this really is the best approach IMO. I've 8used something like this for years to allow visitors to either view or download PDF file product documentation, and now that most browsers will "play" (rather than download) an MP3, MP4, or other media file, this is the most reliable way of ensuring a download. It also makes it easy to add logging capability, so you can easily see how many people have downloaded, when they did it, and even log IP addresses. Too bad this didn't receive more up-votes! @Piddling I think I've used yours before! – Dedicated 19/3, 2019 at 15:50

To force download you may use Content-Type: application/octet-stream header, which is supported by most browsers:

function downloadFile($filePath)
{
    header("Content-type: application/octet-stream");
    header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');
    header('Content-Length: ' . filesize($filePath));
    readfile($filePath);
}

A BETTER WAY

Downloading files this way is not the best idea especially for large files. PHP will require extra CPU / Memory to read and output file contents and when dealing with large files may reach time / memory limits.

A better way would be to use PHP to authenticate and grant access to a file, and actual file serving should be delegated to a web server using X-SENDFILE method (requires some web server configuration):

X-SENDFILE is natively supported by Lighttpd: https://redmine.lighttpd.net/projects/1/wiki/X-LIGHTTPD-send-file
Apache requires mod_xsendfile module: https://tn123.org/mod_xsendfile/ On Ubuntu may be installed by: apt install libapache2-mod-xsendfile
Nginx has a similar X-Accel-Redirect header: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile/

After configuring web server to handle X-SENDFILE, just replace readfile($filePath) with header('X-SENDFILE: ' . $filePath) and web server will take care of file serving, which will require less resources than using PHP readfile.

(For Nginx use X-Accel-Redirect header instead of X-SENDFILE)

Note: If you end up downloading empty files, it means you didn't configure your web server to handle X-SENDFILE header. Check the links above to see how to correctly configure your web server.

Howie answered 9/8, 2018 at 12:38 Comment(2)

Avoid using Content-Type: application/force-download, read more: https://mcmap.net/q/42301/-utility-of-http-header-quot-content-type-application-force-download-quot-for-mobile – Nostradamus 2/7, 2019 at 10:50

Replaced application/force-download with application/octet-stream – Howie 13/7, 2019 at 11:11

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

.htaccess Solution

PHP Solution

HTML

PHP

Recommended topics

Hot tags