John Horner wrote:
> Maybe it's just me, but this:
>
> --
>
> $type = $_GET['type'];
> $fileName = $_GET['filename'] . "." . $type;
>
> $mimeType = "application/$type";
> if (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE 5') or
> strpos($_SERVER['HTTP_USER_AGENT'], 'Opera 7')) $mimeType =
> 'application/x-download';
>
> header("content-disposition: attachment; filename =
> \"$fileName\"");
> header("content-type: {$mimeType}");
>
> readfile($fileName);
>
> where the link would be download.php?filename=mypdf&type=pdf
>
I guess to be fair, the author may have simplified the code and not
detailed the step of validating the input and ensuring it maps to a
legitimate resource. However, I guess the point is that there may be
people on this list with limited server side knowledge who would cut and
paste something like this, so we should all be careful when submitting code.
Chris Knowles
*******************************************************************
List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm
Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm
Help: [EMAIL PROTECTED]
*******************************************************************
