The variables I submit, are retrieved from a database...so users can't enter anything,
What do you mean? Even if the variables are in a hidden input field, anyone can change them. For example one can save the page and change them in html source.
I do have a warning inserted at the beginning of the file, how do I remove this warning?
I won't tell you unless you tell what warning it is. But I'm sure if you think about the warning a little you will figure it out.
"Marek Kilimajer" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Adriaan Nel wrote:
Hi,
I am using the following piece of code, to download files, but the files
are
allways corrupt...what am I doing wrong?
if ($submit) { $full_filename = $_POST[full_filename]; $filename = $_POST[filename]; $dir = $_POST['dir']; $size = $_POST[size]; $id = $_POST[id];
if((file_exists($full_filename)) && (substr(decoct(fileperms($dir)),-1)
=
4)) { header("Content-type: ". "application/exe"); header("Content-Disposition: " . "attachment" . "; filename=\"".$filename)."\""; header("Content-Length: ".$size); $fp = readfile($full_filename, "r"); mysql_query ("INSERT INTO files_downloaded VALUES('$id','$ip',NOW())",$db_connection) or die (mysql_error()); return $fp; } }
You might have a php warning in the downloaded file, it will be either at the beginning or at the end, just open a text editor and view it.
Also you don't check $full_filename, users can submit enything, e.g. /etc/shadow or includes/config.php, and the script sends it.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
