Posted by Rik Wasmus on 09/01/07 03:52

On Fri, 31 Aug 2007 14:14:53 +0200, The Natural Philosopher <a@b.c> wrot=
e:

> Ok. I need a little guidance here.
>
> Environment.
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> Apache2/PHP5/Mysql/debian etch.
>
> Application
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> I want data files to be stored somewhere apache can't get to them =

> directly, for security, but be available for download via a PHP script=


You mean Apache CAN get them, it's just not available with a straight HT=
TP =

request (allthough it might not be an issue here there is a serious =

difference).

> (after various authentication stuff that seems to work so far) by =

> clicking on web page button, this to invoke:-
>
> (a new page, that is actually a file download HTML thingie?)
>
> Now it seems that if the opened URL is say a GET type form that takes =
=

> some form of file ID, and is a PHP program itself, all I need to do is=
a =

> mix of http_send_file() type stuff to push the data down a new browser=
=

> 'window'

If you have the HTTP extention enabled (off be default) =

http://nl3.php.net/manual/en/ref.http.php

>
> I.e conceptually if the button is a link to say :-
>
> <A HREF=3D"download_php?link_id=3DNNNN"> or whatever (never mind the s=
yntax: =

> Thats what manuals are for) then essentially what my 'download_php' =

> wants to do is:-
>
> - validate the user (REMOTE_USER) has rights to access the file, in ca=
se =

> of spoofing by manually typing the above command..

Check.

> - send a load of header data (this is where I am unclear)

What 'load'? What is you intended behaviour?

> - send the file
> - go back home.

'Go back home' is not really an option PHP provides. If you however clic=
k =

a link that would start a download a lot of UA's default behaviour is to=
=

keep displaying the current page if the link just triggers a download =

instead of a new page. If you want more (complex), javascript (or any =

client side solution, java and flash could also be used) is the way to g=
o.

>
> Now in most cases these are files that do not require an application t=
o =

> open them.
>
> I want to ensure they get downloaded to disk,and only if the local =

> browser recognizes them, should they get opened by a local app.

Well, you cannot really control a browser. People might have preferences=
=

overriding your intended behaviour.

> Now the standard blurb shows this fragment as most of what I want, I =

> think:
>
> <?php
> http_send_content_disposition("document.pdf", true);
> http_send_content_type("application/pdf");
> http_throttle(0.1, 2048);
> http_send_file("/my_inaccessible_to_apache_path/report.pdf");
> ?>
>
> But I need someone to confirm that this is the general approach that =

> will get me what I want,

I'm not really familiar with the HTTP extention, a normal PHP approach =

would be:

<?php
header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename=3D"document.pdf"');
readfile('/path/to/file');
?>

If you really want a chunked upload check out the user comments at =

<http://nl3.php.net/manual/en/function.readfile.php>

> and enlighten me as to what mime types I should use..

The real mime-type as far as possible.

> and how this will interact with the browser, and its understanding of =
=

> MIME types.

Which is configurable by the user in most current UA's. For the most par=
t =

you'll just have to trust your users to have their browser configured =

according to their wishes. Offcourse, for some major browsers there are =
=

some 'tricks', but they are just that: tricks, not a reliable, certain =

configuration.
-- =

Rik Wasmus

My new ISP's newsserver sucks. Anyone recommend a good one? Paying for =

quality is certainly an option.

[Back to original message]