PHP File Transfer - How does this work?

Question

So, in another QUESTION, I got this answer:

$filename="filetodownload.xyz";
$cf = realpath("/non-webaccessible-folder/".$filename);
$file=$cf;

header('Content-Disposition: attachment; filename="' . basename($cf) . '"');
header("Content-Length: " . filesize($cf));
header("Content-Type: application/octet-stream");
readfile(realpath($cf));

I was able to get it working for my purposes by just using the top header line:

header('Content-Disposition: attachment; filename="' . basename($cf) . '"');

There are some questions I have about the whole solution though, to increase my understanding:

1. Is the purpose of using basename() simply to strip the path from the filename?

2. What is the purpose of realpath()? In my usage, it seems to make no difference whatsoever. Based on what I've found, it seems to just 'standardize' filepath inputs. Is that correct?

3. I don't seem to need the last three lines to make this work:

header("Content-Length: " . filesize($cf));

header("Content-Type: application/octet-stream");

readfile(realpath($cf));

Do I need them? What do they do? I should note that I'm testing just using localhost, in case that makes a difference.

Is there any kind of security considerations I should make when using this method for providing file downloads?

For 3 is to let the browser know how big the file is so the user can see that. Othwise it displays as *downloaded 1mb of unknown filesize* — Xorifelse, Apr 08 '16 at 12:43
The realpath is used for a number of reasons. for the answer in this case, I had used it as the path to the folder containing the file was a virtual directory on a windows server. Without realpath, file_exists and other functions didn't seem to work reliably. Once I used realpath, the scripts ran as expected. It was a recommendation I found from another location at the time. — LuvnJesus, Apr 09 '16 at 18:41

score 1 · Accepted Answer · answered Apr 08 '16 at 12:45

Is the purpose of using basename() simply to strip the path from the filename?

Yes, this header is what is used by the browser to present to the user a filename to save the downloaded file as. You wouldn't want to offer the user a full filepath, just the filename, and I'm not sure the browser would even present a full filepath to the user.

What is the purpose of realpath()? In my usage, it seems to make no difference whatsoever. Based on what I've found, it seems to just 'standardize' filepath inputs. Is that correct?

It resolves relative and symbolic links to their absolute paths, which is probably what you mean by 'standardizing'. If you only ever supply it absolute paths, it'll do nothing.

I don't seem to need the last three lines to make this work:

header("Content-Length: " . filesize($cf));

header("Content-Type: application/octet-stream");

readfile(realpath($cf));

Do I need them? What do they do? I should note that I'm testing just using localhost, in case that makes a difference.

You should keep them all. The first two headers tell the browser how big the file is and what type of file it is. Right now you're using a generic media type, but if you were to send, say a PDF file, you could use the more-specific PDF media type and the browser would let the user know they're downloading a PDF.

I also don't think downloading would work without the last line... That's what's actually reading the file by PHP and sending it to your browser. If you omit it, you'll probably end up downloading a blank file.

Thanks for the info. It turns out that I do indeed need readfile. As you suspected, omitting it caused an empty file to download. However, I don't really seem to NEED the other two headers (I'll only ever be transferring .zips) but I will leave them in as per your advice. I've opened yet [ANOTHER QUESTION](http://stackoverflow.com/questions/36503964/php-file-transer-echo-breaks-things-alternate-for-debugging) relating to this — JEJoll, Apr 08 '16 at 15:48

PHP File Transfer - How does this work?

1 Answers1

Linked