(Reply beneath quotes)
Richard Lynch wrote:
On Tue, February 14, 2006 3:41 pm, J_K9 wrote:
<?
$fileid = $_GET['file_id'];
$filearray = array(
"a0"=>"data/download1.zip",
"a1"=>"data/download2.zip");
$location = $filearray['a'.$fileid];
if($location!='') {
header("LOCATION: $location");
}
?>
----------------
But when I send it: http://example.com/download.php?file_id=0 , I get
the following error-
Warning: Cannot modify header information - headers already sent by
(output started at /public_html/download.php:6) in
/public_html/download.php on line 18
Any idea what's going wrong?
Line 6 was printing something out, or has an error message being printed.
The other wrong thing is that you should use "Location: " and not
"LOCATION: " (the capitalization is, I think, actually significant, at
least in practice)
Line 6 was the beginning of the PHP script: <?php. I have also changed
the "LOCATION" references to "Location", but that has not fixed the
error (although as you said, I might as well get into good habits now ;)
And, finally, if you don't want people to know where the files are,
then sending a Location: header is the wrong way to go. They'll
possibly end up bookmarking the result URL, which will bypass your URL
that is supposed to be hiding the location in the first place.
You would want to do something like:
readfile($filearray['a' . $_REQUEST['file_id']]);
Using the readfile function, I got an even more confusing error. Isn't
readfile() just piping the file to stdout? Because with this code -
<?php
$filearray = array(
"a0"=>"data/download1.zip",
"a1"=>"data/download2.zip");
readfile($filearray['a' . $_REQUEST['file_id']]);
?>
- I get a series of random extended ASCII characters.
Oh, the error message on line 6 is probably about using an
un-initialized variable $fileid, since it's really $file_id.
And you should have turned off register_globals, so it's really really
$_REQUEST['file_id'] or $_GET['file_id'] if you insist on separating
GET and POST parameters, though I've never quite understood why some
insist on doing that, since they are equally open to attack...
In particular, the reason you really really really want
register_globals OFF is that somebody could do this:
http://example.com/download.php?filearray[a3]=/etc/passwd&file_id=3
[*]
Ah,I now see why register_globals should be turned off. I have read
about disabling it (it is currently enabled) either from within a
.htaccess file (although I'm not sure where) or by changing a line in
php.ini. As I am running a LAMP server and have not had too much
experience with PHP before, could you please tell me how I can disable
them? I've also got magic_quotes_gpc on, although I haven't had the time
to check why that's a risk.
Where have I used register_globals anyway, just so that I can avoid
using them in the future? :)
Thanks for your help - and I hope we eventually find a way of making
this work ;)
J_K9
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
