Forcing to download a file using PHP
Solution 1
.htaccess Solution
To brute force all CSV files on your server to download, add in your .htaccess file:
AddType application/octet-stream csv
PHP Solution
header('Content-Type: application/csv');
header('Content-Disposition: attachment; filename=example.csv');
header('Pragma: no-cache');
readfile("/path/to/yourfile.csv");
Solution 2
Or you can do this using HTML5. Simply with
<a href="example.csv" download>download not open it</a>
Solution 3
This cannot be done reliably, since it's up to the browser to decide what to do with an URL it's been asked to retrieve.
You can suggest to the browser that it should offer to "save to disk" right away by sending a Content-disposition header:
header("Content-disposition: attachment");
I'm not sure how well this is supported by various browsers. The alternative is to send a Content-type of application/octet-stream, but that is a hack (you're basically telling the browser "I'm not telling you what kind of file this is" and depending on the fact that most browsers will then offer a download dialog) and allegedly causes problems with Internet Explorer.
Read more about this in the Web Authoring FAQ.
Edit You've already switched to a PHP file to deliver the data - which is necessary to set the Content-disposition header (unless there are some arcane Apache settings that can also do this). Now all that's left to do is for that PHP file to read the contents of the CSV file and print them - the filename=example.csv
in the header only suggests to the client browser what name to use for the file, it does not actually fetch the data from the file on the server.
Solution 4
Here is a more browser-safe solution:
$fp = @fopen($yourfile, 'rb');
if (strstr($_SERVER['HTTP_USER_AGENT'], "MSIE"))
{
header('Content-Type: "application/octet-stream"');
header('Content-Disposition: attachment; filename="yourname.file"');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header("Content-Transfer-Encoding: binary");
header('Pragma: public');
header("Content-Length: ".filesize($yourfile));
}
else
{
header('Content-Type: "application/octet-stream"');
header('Content-Disposition: attachment; filename="yourname.file"');
header("Content-Transfer-Encoding: binary");
header('Expires: 0');
header('Pragma: no-cache');
header("Content-Length: ".filesize($yourfile));
}
fpassthru($fp);
fclose($fp);
Solution 5
Configure your server to send the file with the media type application/octet-stream
.
Elitmiar
Updated on February 11, 2022Comments
-
Elitmiar over 2 years
I have a CSV file on my server. If a user clicks on a link it should download, but instead it opens up in my browser window.
My code looks as follows
<a href="files/csv/example/example.csv"> Click here to download an example of the "CSV" file </a>
It's a normal webserver where I have all of my development work on.
I tried something like:
<a href="files/csv/example/csv.php"> Click here to download an example of the "CSV" file </a>
Now the contents of my
csv.php
file:header('Content-Type: application/csv'); header('Content-Disposition: attachment; filename=example.csv'); header('Pragma: no-cache');
Now my issue is it's downloading, but not my CSV file. It creates a new file.
-
user6337901 over 14 yearsUsing "Content-disposition: attachment" has worked consistently for us in all FF versions, IE6 and IE7.
-
Powerlord over 14 yearsWhy not just change the Content-Type line to
Content-Type: application/octet-stream
? It seems a bit redundant to do it in an .htaccess when you're overriding it anyway. -
TEEAMO over 14 yearsthat was the inital answer to the question, the question then changed so the second part was the answer to that.
-
Chris Harrison almost 11 yearsThis doesn't work in all browsers, with all filetypes. For example, it won't work on the latest (Aug 2013) version of Chrome with PDF files and perhaps csv files too. See my answer for how to get this working in a more reliable way.
-
Sam over 9 yearsUnfortunately this isn't supported in IE or Safari: caniuse.com/#feat=download
-
The Quantum Physicist almost 9 yearsThis model could create a major security flaw. An attacker can use it to download your source file! Use it with caution!!!!
-
Olaf over 8 yearsThis looks like some old download script I've written years ago and you're right a hacker could try to find the location of the file. Input validation is also difficult this way. A few days ago I re-published an article with a second examples that is using a database with a hash ID to obtain the file name. It's not a perfect solution, but it points into the right redirection: web-development-blog.com/archives/php-download-file-script
-
Govind Rai over 7 yearsGreat Answer! I would suggest changing
'Content-Type: application/csv'
to'Content-Type: application/octet-stream'
as suggested by @Powerlord. It will be a more well-rounded answer and will help others who are not just interested in having their CSVs downloaded. Just a suggestion! Thanks! -
Faizan Noor over 7 yearsThe best part of adding download attribute is that it will force to download any type of file.
-
Prifulnath about 7 yearsCan you please tell me how, if it is a
zip
file?? -
Chuck Le Butt about 7 yearsIt's finally supported in Safari!
-
Peter Mortensen about 6 yearsWhat makes it nice and clean?
-
DIDIx13 about 6 yearsTalking about Null byte injection?
-
DavidScherer over 5 yearsTypically you'll only run into issues with content-disposition if you have a default action for downloaded files of a type set for your browser, otherwise browsers will typically follow the recommendation (for more modern versions, ymmv with old/outdated browser versions).
-
DavidScherer over 5 yearsI would just use readfile() From the docs
If you just want to dump the contents of a file to the output buffer, without first modifying it or seeking to a particular offset, you may want to use the readfile(), which saves you the fopen() call.
-
Randy about 5 yearsDespite the need for suggested additions for security, this really is the best approach IMO. I've 8used something like this for years to allow visitors to either view or download PDF file product documentation, and now that most browsers will "play" (rather than download) an MP3, MP4, or other media file, this is the most reliable way of ensuring a download. It also makes it easy to add logging capability, so you can easily see how many people have downloaded, when they did it, and even log IP addresses. Too bad this didn't receive more up-votes! @Olaf I think I've used yours before!
-
Václav about 5 yearsLove this. Saved me another night trying to figure out how to work with those damn php download headers.
-
Marco Demaio almost 5 yearsAvoid using
Content-Type: application/force-download
, read more: stackoverflow.com/a/10616753/260080 -
Marco Demaio almost 5 yearsFYI the standard HTTP
Content-Type
header for CSV istext/csv
, notapplication/csv
. -
Dima L. almost 5 yearsReplaced application/force-download with application/octet-stream
-
Radon8472 about 2 yearsIf you change the contenttype your pc will not longer know that this is a csv file, and your default csv programm is not offered for opening this file.