PHP: How to hide URL

Question

I have the following download.php script to download a file, which works great:

<?php

header("Content-Type: application/octet-stream");

$file = $_GET["file"];
header("Content-Disposition: attachment; filename=" . urlencode($file));   
header("Content-Type: application/force-download");
header("Content-Type: application/octet-stream");
header("Content-Type: application/download");
header("Content-Description: File Transfer");            
header("Content-Length: " . filesize($file));
flush(); 
$fp = fopen($file, "r");
while (!feof($fp))
{
    echo fread($fp, 65536);
    flush(); 
} 
fclose($fp);

?>

What I want to achieve is to hide the URL where this file is located, so that when the user clicks a link such as <a target="_blank" href="http://domain.com/files/download.php?file=filename.pdf">Download file</a> , a new tab opens up with no URL and starts downloding the file. What is actually happening is the new tab opens and the file download starts but the URL bar is displaying http://domain.com/files/download.php?file=filename.pdf .

If this cannot be done with php, how can I achieve this? I have seen several downloads where the URL is not shown, so I know this is somehow possible.

EDIT: Here is the reason I want to do this: We will send a html mailing with a link to the file download, and the website where this file download is hosted is not the website from the company which sends the mail.

As always, thank you very much.

Answer 1

A typical way doing this, is to place the files you want to provide for download outside your docroot. Your download script should know about this place and has to process the requested filename considering this.

For example:

path/in/your/system/docroot/download.php and path/in/your/system/files/filename.pdf

If someone is requesting download.php?file=filename.pdf your script has to look up in path/in/your/system/files/ for this file and has to handle it.

Answer 2

In the end, it's not possible because the user can open Google Inspector and check the Network tab.

Edit: If that's the case, you would use JavaScript:

Edit 2: In case the popup is blocked by the browser or addon, use a fallback:

Edit 3: In case JS is disabled:

<head><meta http-equiv="refresh" content="5;http://domain.com/files/download.php?file=filename.pdf"> 
    <script>
     var win = window.open("http://domain.com/files/download.php?file=filename.pdf");
      if (!win) {
               window.location = "http://domain.com/files/download.php?file=filename.pdf";      
      }
    </script>
  </head>

Edit 4: If you don't want the user to see the domain of the user site at all, get your PHP script to download the file and then output that to the user:

header("Content-Type: application/octet-stream");

$file = $_GET["file"];
$file = 'http://otherdomain.com/location/' . $file; // This line should suffice for all that you're trying to do
header("Content-Disposition: attachment; filename=" . urlencode($file));   
header("Content-Type: application/force-download");
header("Content-Type: application/octet-stream");
header("Content-Type: application/download");
header("Content-Description: File Transfer");            
header("Content-Length: " . filesize($file));
flush(); 
$fp = fopen($file, "r");
while (!feof($fp))
{
    echo fread($fp, 65536);
    flush(); 
} 
fclose($fp);

Answer 3

You can create a new window with iframe content to that URL.

var win = window.open("", "Title", "toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width=780, height=200, top="+(screen.height-400)+", left="+(screen.width-840));
win.document.body.innerHTML = "<iframe src='YOUR URL'></iframe>";

Answer 4

如果删除target="_blank"则不会打开新选项卡，只会下载文件。

Answer 5

将表单作为POST提交并使用$ _REQUEST获取文件：

$file = $_REQUEST["file"];