Force file download using PHP script and HTTP headers

Force file download using PHP algorithm


It is very frustrating to click on a link to a document you want to read, and then have to wait for it to download and finally it open on your computer/browser, but you had expected it to download. It is mainly for some file types as (eg: txt, jpg, png, gif, html, pdf, etc.)


If you have a file and want it to make available for people to download? If it is an HTML file or a PDF, you can’t just post link, as the web browsers open those automatically, instead you need to do some trickery using PHP script and below is the same, hope it will help you a lot.


PHP allows you to change the HTTP headers of files that you’re writing, so that you can force a file to be download. This is perfect for files like PDFs, document files, images, and video that you want your customers to download rather than open it in browser for view.




// Define the path to file,you want to make it downloadable
$file = ‘’;


// File doesn’t exist, output will show error
die(‘file not found’);


// Set headers
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Disposition: attachment; filename=$file");
header("Content-Type: application/zip");
header("Content-Transfer-Encoding: binary");

// Read the file from disk



What is HTTP Headers and how to set php HTTP Headers?

The header() function sends a raw HTTP header to a client or browser or simply we can say it tells browser what type of content,it have to show. When a request sent from server to client/browser the HTTP informations has been sent to browser,The HTTP information may be small or large depends on the page and content shown.


A small HTTP information sent by browser are

HTTP/1.1 301 Moved Permanently =>

Date => Fri, 25 Aug 2011 02:00:03 GMT
Server => Apache
X-Powered-By => PHP/5.3.0
X-Pingback =>
Location =>
Content-Length => 0
Connection => close
Content-Type => text/html; charset=UTF-8


It is important to notice that header()  always be called before any actual output is sent (In PHP 4 and later, you can use output buffering to solve this problem):
for output buffering simply, a PHP function is used


PHP is not limited to output only html. PHP can output images, pdf, JavaScript files as well. Browsers determine what type of content is by analysing the headers sent.To send PHP header use the function header(). You have to call this function before output shown. Use the function headers_sent() to check whether the headers have been sent and output started.

There are various headers used, here are some examples.


// Status code (301,302,404,403) headers
// Use this header instruction to fix 404 headers
header(‘HTTP/1.1 200 OK’);


// Page was not found:
header(‘HTTP/1.1 404 Not Found’);


// Access forbidden:
header(‘HTTP/1.1 403 Forbidden’);


// The page moved permanently should be used for all redirections, because search engines always know
// what’s going on and it can easily update their urls in the web master tools
header(‘HTTP/1.1 301 Moved Permanently’);


// Server error
header(‘HTTP/1.1 500 Internal Server Error’);


// Redirect to a new location:


// Redirect with a delay:
header(‘Refresh: 10; url=’);
print ‘You will be redirected in 10 seconds’;


// you can also use the HTML syntax
// <meta http-equiv=”refresh” content=”10;” />

// override X-Powered-By value

header(‘X-Powered-By: PHP/4.4.0’);
header(‘X-Powered-By: Brain/0.6b’);


// content language (en = English)
header(‘Content-language: en’);


// last modified (good for caching)
$time = time() – 60; // or filemtime($fn), etc
header(‘Last-Modified: ‘.gmdate(‘D, d M Y H:i:s’, $time).’ GMT’);


// header for telling the browser that the content did not get changed
header(‘HTTP/1.1 304 Not Modified’);


// set content length (good for caching)
header(‘Content-Length: 5000’);


// Disable caching of the current document
header(‘Cache-Control: no-cache, no-store, max-age=0, must-revalidate’);
header(‘Expires: Mon, 26 Jul 1999 05:00:00 GMT’); // Date of  past
header(‘Pragma: no-cache’);


// set content type (page have content of type)
header(‘Content-Type: text/html; charset=iso-8859-1’);
header(‘Content-Type: text/html; charset=utf-8’);
header(‘Content-Type: text/plain’); // plain text file
header(‘Content-Type: application/x-shockwave-flash’); // Flash animation
header(‘Content-Type: image/jpeg’); // JPG picture
header(‘Content-Type: application/pdf’); // PDF file
header(‘Content-Type: audio/mpeg’); // Audio MPEG (MP3,…) file
header(‘Content-Type: application/zip’); // ZIP file


// show sign in box
header(‘HTTP/1.1 401 Unauthorized’);
header(‘WWW-Authenticate: Basic realm=”Top Secret”‘);
print ‘Text that will be displayed if the user hits cancel or ‘;
print ‘enters wrong login data’;


// Headers for an download
header(“Cache-Control: public”);
header(“Content-Description: File Transfer”);
header(“Content-Disposition: attachment; filename=$file”);
header(“Content-Type: application/zip”);
header(“Content-Transfer-Encoding: binary”);


Essential security tips to protect your website from Being Hacked

If you are a website owner or programmer, you are probably aware of the threat of hackers.Whether the website is the web representation for a large organization or a gallery showing your product range and inviting customers to come into the shop, or a personal site exhibiting your photos, web security always matters.
JavaScript validation is always not much secure.

There are so many ways to hack website,but there will always a solutions for threat, by using some strong validation (server-side),
we can protect our website from hacking.There are so many rules to make site secure, here are some for PHP Website.


1. A proper validation should be there in all the forms,use captch/recaptcha in forms.
In this type of attack a script fills the forms automatically and the unwanted data submitted in database in excess.
The data may be script that may cause the very important data deletion from your database,or update your website database automatically.


2. Proper permission should be given to files and folder.
In this attack, hacker put a small file,that will control your website.
A loose permission can update/delete your web script program,that may cause business loss (shopping cart) and mentally loss for programmer.


3. mysql_real_escape_string() function should be used in login forms to prevent the site from Sql Injestion
In this type of attack, user is able to execute the desired SQL queries in website’s database.
This attack is usually performed by entering text into a form field (mainly login form) which causes a subsequent SQL query,
generated from the PHP form processing code, to execute part of the content of the form field as though it were SQL.
The effects of this attack range from the harmless (simply using SELECT to pull another data set)
to the database deletion. It may also cause, the site data could be changed, or new data added.


4. Folder/Directory structure should not be shown publicly.we can do this by 2 method by putting blank index.html in all the directory or using .htaccess protection
This attack can occur anywhere in website file system  If a user specifies “../../../../scriptarticle” as form data, and your script appends that to a directory name
to obtain user-specific files, this string could lead to the inclusion of the password file contents.
It may also cause moving and deleting files, corrupt files,making arbitrary changes to your file system structure.


5. The form (File upload) sections must be proper validated with proper acceptable files.
Now a days, in 80% websites a myaccount section is given to the user,from where they can upload his photos for files.
Without a proper validation,hacker can upload a script and can run that script easily and can do almost all the operation,whatever he want.


6.htaccess must prevent the execution of script from address bar.
In this type of attack a hacker put the script in address bar and execute,then it will result create a file in the website folder.


These are some basic precaution,that should be taken,there are so many methods now a days has been used in web based software.
SSL is also a very secure method,These authentication protocols operate right over HTTP (or SSL/TSL), with credentials embedded
right in the request/response traffic,But It is costly for a personal portal of a personality.