PHP: Force download header wont show total size and speed

Question

Whenever I use this script to download a file, I can't see the total size and the speed while downloading... I want to to make it look more like the 'direct download link'. The purpose of this script is to hide the direct download link restrict direct downloading and other download behavior, like bots. Think of mediafire, rapidshare, megaupload etc.

The script we have now works but is not displayed as how it is displayed when you download from a normal download link, I will post a screenshot of what's happening:

I hope this screenshot helps, because I've searched the internet for hours and can't seem to find a solution to this :(.

if (isset($_GET['file'])){
   $file = $_GET['file'];
   $path = '/home/user/domains/domain.com/files/upload/';
   $filepath = $path.$file;

   if (file_exists($filepath)){

    set_time_limit(0); // for slow connections

    header('Content-Description: File Transfer');
    header("Content-Disposition: attachment; filename=\"$file\"");
    header('Content-Type: application/octet-stream');
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: ' . filesize($filepath));
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Expires: 0');

    readfile($filepath); // send file to client 
   } 
   else{
    header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found", true, 404); 
   }
  }else{
   header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found", true, 404); 
  }

Answer 1

Is the content being compressed at the server level with mod_deflate or something similar?

This has been answered here: Sending correct file size with PHP download script

"If you compress files with Zlib, mod_deflate and so on the Content-Length header won't be accurate so you'll end up seeing "Unknown size" and "Unknown time remaining" when downloading files."

"You can easily disable it for a single script using the following line in an applicable .htaccess file:

SetEnvIfNoCase Request_URI ^/download.php no-gzip dont-vary where download.php is here assumed to be in the download script located in the server's root directory path (e.g. www.crimsonbase.com/download.php). (That's because the regular expression is ^/download.php.)"

Also, please note that your script is insecure. Someone could effectively send the following get parameter for _GET['file']

../../../../../Documents/MyStuff

and it will override your $path restriction entirely.

Suggest stripping out any .. references in the path.

Answer 2

I was having a similar problem today, I could not get the total size (download progress) of a downloaded file.

The browser headers indicated "gzip" as content type, I was able to fix this by prevening the server to use gzip on the download.php script, by this htaccess line:

SetEnvIfNoCase Request_URI ^/download.php no-gzip dont-vary