Home/ Questions/Q 6111867
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T14:40:47+00:00

I generate a *.csv file with PHP and it works great. The problem is,

  • 0

I generate a *.csv file with PHP and it works great. The problem is, it contains a bunch of sensitive data. I’ve done my permissions very carefully, so you can’t get to the download link or generate the file without being the correct user.
The issue that I run into, is that right after the user downloads the file, the file needs to be deleted right away. The chance is small, I realize, that someone would be sitting there scanning my site structure, but the data is important enough to where I want to cover my ass 🙂

I had this at first:

<a href="<?php echo base_path().$ourFileName ?>"><?=$ourFileName?></a>

Which works great to just download the file, but I was having a hard time doing any kind of actions with it, because if you nest PHP code inside an OnClick=”” it will be executed before the click happens, because all PHP code is rendered server-side before the HTML and JAVASCRIPT is processed…right? I searched the internet, and it didn’t seem like I could get javascript to have the perms to delete the file…admittedly, I could be very wrong.

So I turned my link into a form:

<?PHP
if(isset($_POST['submit']))
{
    header("Location: ".base_path().$ourFileName);
    unlink(base_path().$ourFileName);
}?>

<form action="<? $PHP_SELF ?>" method="post">
<input type="submit" value="Submit" name="submit">
</form>

But obviously, the unlink() will never be reachable because of the header…at least I think…
Is there another way besides header() to download the file to them?
I realize I could just run a cron job every minute or something and just:

rm -rf *.csv

And that would take care of the issue, but what happens if a user is in the process of downloading the file and cron starts to run? Or the page is generated, but they don’t click on the link for a while for some reason?

Maybe there’s some way to configure my .htaccess file so you can only access the file if linking from a page?

Am I over complicating this?

Any ideas gurus of the interweb?

–edit
Per popular suggestion, I’m working on the new header format so the code looks like this:

<?PHP if(isset($_POST['submit']) && ($user->uid))
{
    myroom_render_csv($ourFileName, $csv_string);
}?>

<form action="<? $PHP_SELF ?>" method="post">
<input type="submit" value="Submit" name="submit">
</form>

and in a separate file:

<?PHP function myroom_render_csv($file_name, $csv_string) {
header('Content-type: text/csv');
$header_string2="Content-Disposition: attachment; filename=\"".$file_name."\"";
header($header_string2);
echo $csv_string;
} ?>

but I get a dump of the full HTML page AND the CSV data. Ideas?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Here’s a simpler solution – don’t create a file. Instead of writing your data to a .csv file, just set the headers in a php script like so: 

    header('Content-type: text/csv');
header('Content-Disposition: attachment; filename="whatever.csv"');

echo $csv_data;

    Print out your csv data in the php script, and the browser will treat it like a file download. This way, you’re free to control to who and when the file is accessible.

    • 0