2011-06-25 11:44



I am downloading file from server to local computer like this:

$file = ( "TestFile.txt" );     
header( "Content-Type: application/octet-stream" );
header( "Accept-Ranges: bytes" );
header( "Content-Length: " . filesize( $file ) );
header( "Content-Disposition: attachment; filename=testfile.txt" );
readfile( $file );

It is working but it always save file in download folder without asking location. I want to open window like saving any document in OpenOffice/MS Word with option to choose any location on file system and create new folder option. My desired window also opears when we save as in browser window.

Hope you understand my problem. Is it possible to do this which work in all browsers/OS.


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • donglvmang8638 donglvmang8638 10年前

    The specification of Content-Disposition reads that the receiving user agent should ignore any path component in filename parameter value:

    The receiving [user agent] SHOULD NOT respect any directory path information that may seem to be present in the filename parameter. The filename should be treated as a terminal component only.

    The reason for this is that it prones a security vulnerability:

    Since this memo provides a way for the sender to suggest a filename, a receiving [user agent] must take care that the sender's suggested filename does not represent a hazard. Using UNIX as an example, some hazards would be:

    • Creating startup files (e.g., ".login").
    • Creating or overwriting system files (e.g., "/etc/passwd").
    • Overwriting any existing file.
    • Placing executable files into any command search path (e.g., "~/bin/more").
    • Sending the file to a pipe (e.g., "| sh").
    点赞 评论 复制链接分享
  • dshyu6866 dshyu6866 10年前

    not directly via a header, but you could use a java applet, or possibly flash to do the job.

    点赞 评论 复制链接分享
  • dongyuyi5680 dongyuyi5680 10年前

    There is no such thing as you propose. It is up to the client (i.e. the web browser) how to handle HTTP responses, and in particular how to deal with non-displayable content (such as your octet-stream). Most browsers will offer a download option, but there is no requirement that this be of any particular form. Passing a suggested file name as you do is about as much as current browsers will interpret.

    Of course there could always be a custom-made browser somewhere that will accept additional header information, but no widespread browsers currently do. Bear in mind that in general we do not want to expose any information about the client's environment to the internet, so even suggesting something like a download path could be seen as a violation of that. Imagine I suggest /etc/passwd as the desired location.

    If you really like to sniff around your visitors' hard disks, use an ActiveX or Java applet :-)

    点赞 评论 复制链接分享