Export file

[dbadmin]

Hi,

Is there a PHP demo on how to render a file right away without saving it on the server with a predefined file name? Do I understand correctly that with current implementation it may lead to concurrency problems when different people click "export" on the same page and file name is always the same? And if I change file name each time, then I need to run a cleaning tool to make sure these files get deleted at some point.

Thanks!

[dbadmin]

Also is it a potential security leak? Looks like whatever is in "POST" gets saved in a file and if it's a virus there doesn't seem to be any protection against it?

[paramvir]

Due to security restrictions, javascript can't create or write to a file. It has to be a round trip to the server.

If you implement it in a multi user environment, you can append the filename with a session variable or user name.

The first level of protection against malicious code post is to ensure that file extension remains either xml or csv. As an extra layer of security, you can also add a check that the data is posted only by an authenticated user.

[dbadmin]

Thanks for you reply.

Let me word it differently: I  don't expect the file to be loaded by javascript, but I thought it would be good to have a php-side code that instead of writing to a file just renders out the file contents right away (instead of saving it into the file, and then rendering the file)

[paramvir]

Good point.

You could return the post data right away instead of saving it in a file if it were a single request, but as there are two requests to the server, you have to persist the data on the server upon first request and return it as a file in the second request.

Though it's not necessary to store the post data in a file, you could store the post data in a session. As a matter of fact, saving post data in session seems better solution in terms of concurrency and security.

[paramvir]

Here is the code for saving it in session

Code: [Select]

if (isset($_POST["excel"]) && isset($_POST["extension"]))       
{
    $extension = $_POST["extension"];   
    if ($extension == "csv" || $extension == "xml")
    {               
        session_start();
        $_SESSION['excel'] = $_POST['excel'];
        $filename = "pqGrid." . $extension;             
        echo $filename;       
    }
}
else if(isset($_GET["filename"]))
{
    $filename = $_GET["filename"];
    if ($filename == "pqGrid.csv" || $filename == "pqGrid.xml")
    {
        session_start();       
        if (isset($_SESSION['excel'])) {   
            $excel = $_SESSION['excel'];       
            $_SESSION['excel']=null;       
            header('Content-Disposition: attachment; filename="'.$filename.'"');
            header('Content-Type: text/plain');
            header('Content-Length: ' . strlen($excel));
            header('Connection: close');           
            echo $excel;
            exit;
        }   
    }
}


[dbadmin]

That works, thank you!

Eventually would you think it will make sense to add an option to do it in one "post" request (next versions)? Second "post" seems a redundant step to me...

Also, could you tell me if there's a way to specify to render "null" as empty string in excel? (Null values don't show up in the grid, but when I do export -- cells in excel display "null")

Thanks!

[paramvir]

If it would be feasible, I would merge it into a single request in future versions.

you could replace null with empty string upon post of data $_POST['excel'] using regular expression.

[dbadmin]

I understand I can manually replace "null" with empty string I'd think it'd be another candidate for the future versions though. thanks for you help!