Download code works on local Apache server - not on web host

foxylarry · Feb 27, 2022

I want to use the following code to allow users to download .iso, .deb, and .tar.gz files from my website on a shared server on my web host, but it fails miserably. Besides the initial warnings, it appears that the readfile command is literally opening and reading the file. It works perfectly on my local Apache server.

<?php

$php_scripts = '../../php/';
require $php_scripts . 'PDO_Connection_Select.php';
require $php_scripts . 'GetUserIpAddr.php';
function mydloader($l_filename= "")

{
    $ip = GetUserIpAddr();
    if (!$pdo = PDOConnect("foxclone_data"))
    {	
        exit;
    }

  {

    $file = $l_filename;
    
    if (file_exists($file)) {
        header('Content-Description: File Transfer');
        header('Content-Type: application/octet-stream');
        header('Content-Disposition: attachment; filename="'.basename($file).'"');
        header('Expires: 0');
        header('Cache-Control: must-revalidate');
        header('Pragma: public');
        header('Content-Length: ' . filesize($file));  /*Read the size of the file*/
        readfile($file);
        exit;
        }
    }
    /*Clear system output buffer*/
    flush();
mydloader($_GET["f"]);
exit;

`
Here's a screenshot of what happens when run on the webhost:
![https://imgur.com/2SqiLu4]

NOTE: For security, the code will eventually be modified to pass a number to this script and do a lookup in the database to get a filename rather than passing the filename directly.

Weedpacket · Feb 27, 2022

Looking at the first message, which is where things start to go wrong, it says there's something on line 1 of PDO_Connection_Select.php that is sending output to the browser. After that, headers can no longer be sent (because they're sent before the body), so all the other headers about things like disposition and the like are discarded (with error messages to that effect).

So: what is on line one? It should probably just say <?php; make sure there's nothing before it in the file. Even a byte-order-mark. (Old versions of Windows Notepad would insist on adding a BOM even on files saved as UTF-8.)

sneakyimp · Mar 1, 2022

Without knowing the contents of PDO_Connection_Select.php (which might have sensitive information like passwords and server addresses), it's hard to know what the problem is in that file. It may be calling functions which are defined on your local apache but which are not defined on the web host. E.g., your local apache server might be properly configured to activate/install the PDO extension whereas your webhost might not be.