Start a download with PHP without revealing file URL

Question

I want ta start a download using PHP, but I don't want the user to know the URL of the file which is downloading.

I have read a lot of answers in StackOverflow but all I have found are showing the URL of the downloaded file.

Here is what I want to do, in example:

This is the PHP file, the user will see this URL: http://website.com/download.php

This is the URL of the downloaded file, I don't want the user to see this URL: http://website.com/file.zip

Is there any way to do this?

possible duplicate of [A PHP script to let users download a file from my website without revealing the actual file link in my website?](http://stackoverflow.com/questions/3252387/a-php-script-to-let-users-download-a-file-from-my-website-without-revealing-the) — Liam Sorsby, Sep 26 '14 at 17:57

score 1 · Answer 1 · answered Sep 26 '14 at 18:13

Before renderring the page store the download url somwhere (in session for example) and generate some unique hash, which later you can use to identify which file should be downloaded:

$SESSION['file_download']['hash'] = md5(time) . '_' . $userId; // lets say it equals to 23afg67_3425
$SESSION['file_download']['file_location'] = 'real/path/to/file';

When renderring show the user following download url:

http://yourdomain.com/download_file.php?hash=23afg67_3425

If user clicks it you send the file to user, but only allow this one time or during the current session. By this I mean that you should create new source file called download_file.php with following content:

if ($_GET['hash'] == $SESSION['file_download']['hash']) {
  // send file to user by outputing the file data to browser
    $file = $SESSION['file_download']['file_location'];

    header('Content-Description: File Transfer')
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    readfile($file);

  // optionaly reset $SESSION['file_hash'] so that user can not download again during current session, otherwise the download with generated link will be valid until user session expires (user closes the browser)
} else {
  // display error message or something
}

score 0 · Answer 2 · answered Sep 26 '14 at 18:02

0

It depends of what do you want to hide. the URL will ever be shown to the user but if you dont want the user know which parameters (or values) send you can encode them and send them by a POST request via AJAX.

answered Sep 26 '14 at 18:02

MikeVelazco

885
2
13
30

score 0 · Answer 3 · answered Sep 26 '14 at 18:13

0

Try this:

    $file = './file.zip';
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="'.basename($file).'"'); //<<< Note the " " surrounding the file name
    header('Content-Transfer-Encoding: binary');
    header('Connection: Keep-Alive');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));

answered Sep 26 '14 at 18:13

Eugene

547
4
11

I tried to start downloading a video (MP4) file, it starts the download but finishes immediately. It downloads a file with 0 bytes. – Idrizi.A Sep 26 '14 at 18:27
if you try to download directly is it downloaded normally/ – Eugene Sep 26 '14 at 18:35
Yes. If I go to the video and click Save As, the download starts normally. – Idrizi.A Sep 26 '14 at 18:39

Start a download with PHP without revealing file URL

3 Answers3

Linked