I haven't specifically used code like this, but I do use a dynamic page
system (a more advanced version of the '?p=mypage' system commonly
seen). To avoid letting people include stuff they should be able to, the
page that processes all of this basically has an array where I set which
pages it's allowed to access. Anything other than the ones in that list
goes to my error page. Something like this is probably
the easier, but at the same time, most secure method to accomplish
something where a page is dynamically included.
Christian Snodgrass
Chris Knowles wrote:
John Horner wrote:
Maybe it's just me, but this:
--
$type = $_GET['type'];
$fileName = $_GET['filename'] . "." . $type;
$mimeType = "application/$type";
if (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE 5') or
strpos($_SERVER['HTTP_USER_AGENT'], 'Opera 7')) $mimeType =
'application/x-download';
header("content-disposition: attachment; filename =
\"$fileName\"");
header("content-type: {$mimeType}");
readfile($fileName);
where the link would be download.php?filename=mypdf&type=pdf
I guess to be fair, the author may have simplified the code and not
detailed the step of validating the input and ensuring it maps to a
legitimate resource. However, I guess the point is that there may be
people on this list with limited server side knowledge who would cut and
paste something like this, so we should all be careful when submitting code.
Chris Knowles
*******************************************************************
List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm
Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm
Help: [EMAIL PROTECTED]
*******************************************************************
*******************************************************************
List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm
Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm
Help: [EMAIL PROTECTED]
*******************************************************************
