1

I'm trying to display a .pdf file in a php application. It works perfectly well on my local development setup but on production, the same code displays the pdf as garbled text.

These are the request headers i'm using:

<?php
$file = $_GET["f"];
$filename = 'contrato.pdf';
header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="' .$filename. '"');
header('Content-Transfer-Encoding: binary');
header('Accept-Ranges: bytes');
readfile($file);
?>

These are the production response headers according to chrome:

Connection:Keep-Alive
Content-Encoding:gzip
Content-Type:text/html
Date:Mon, 03 Apr 2017 21:31:19 GMT
Keep-Alive:timeout=15, max=189
Server:Apache
Transfer-Encoding:chunked
Vary:Accept-Encoding

On the development setup, the response headers are these:

Accept-Ranges:bytes
Connection:Keep-Alive
Content-Disposition:inline; filename="contrato.pdf"
Content-Transfer-Encoding:binary
Content-Type:application/pdf
Date:Mon, 03 Apr 2017 21:33:44 GMT
Keep-Alive:timeout=5, max=100
Server:Apache/2.4.7 (Win32) PHP/5.5.8
Transfer-Encoding:chunked
X-Powered-By:PHP/5.5.8

Could it be due to the apache settings?

P. Hoffmann
  • 41
  • 1
  • 5
  • 2
    Just to check: The garbled output starts with something like: `%PDF-1.3`? You need to switch on error reporting in PHP. See if anything has been sent before you send your headers. – KIKO Software Apr 03 '17 at 21:42
  • Probably some proxy or server changing it, or your request to change headers is being denied by PHP. Check your errors: http://stackoverflow.com/q/845021/1255289 – miken32 Apr 03 '17 at 22:06
  • Yes, it starts with something like that. Errors are off on production, good idea to turn them on to debug this. – P. Hoffmann Apr 03 '17 at 22:17
  • As suggested by @KIKOSoftware something is being sent to the browser first, even a single space will cause it to not work. – Jonathan Apr 04 '17 at 02:38
  • Also I hope that's not your real code. This will allow someone to read ANY file that apache can read, such as your entire PHP source code – Jonathan Apr 04 '17 at 02:39
  • Don't forget that in some case an UTF-8 BOM can also cause problems with sending headers. You cannot even see it. – KIKO Software Apr 04 '17 at 07:09
  • @Augwa you were right, a space was being sent before the headers. Thank you! – P. Hoffmann Apr 04 '17 at 13:12

1 Answers1

-2

I think it's the error in this line:

header('Content-type: application/pdf');

Note the small letter t

this line should be like this:

header('Content-Type: application/pdf');

also note that you are reading a file using the $_GET["f"] this is wrong, instead read the file from $filename variable. Change the last line to :

readfile($filename);

Anyway here's the correction of your code:

<?php
$file = $_GET["f"];
$filename = 'abc.pdf';
header('Content-Type: application/pdf');
header('Content-Disposition: inline; filename="' .$file. '"');
header('Content-Transfer-Encoding: binary');
header('Accept-Ranges: bytes');
readfile($filename);
?>
Muhaimen Ezabbad
  • 7
  • 2
  • I also noticed that and tried with the uppercase T, it didn't make any difference. Regarding the filename variable, i don't think its the issue because i can access the file, the problem is it appears as text/html. – P. Hoffmann Apr 03 '17 at 22:15
  • instead of reading the $filename, you are reading $file, which is a parameter sent by the users. use: readfile($filename); in the last line. – Muhaimen Ezabbad Apr 03 '17 at 23:51
  • @Muhaimen *"instead of reading the $filename, you are reading $file"* - probably that is exactly what the op wants, sending a file given by a parameter with a header claiming the given file name. In that case this may be a security issue though as the parameter is not checked. – mkl Apr 04 '17 at 04:28
  • @mkl, you´re right, $file contains the path and name of the file to be displayed. thanks. – P. Hoffmann Apr 04 '17 at 12:56
  • @P.Hoffmann , if this is your code, and you let the users to send you the real path of the file to be read, then this is a bad way of implementation. – Muhaimen Ezabbad Apr 05 '17 at 00:31