Q> I hope you have some good data validation going on too :)
I am not too sure about how secure it is. basically, the files are called by
an ID
eg, download?type=file&id=3
so i query the db to get check if its a valid id and get the filename from
the db as well.
if its not found it errors out.. i was under the impression that is more
secure to get files by an id from db than doing something like
download?file=filename.zip
i am worried about security as i am not even sure if this method would allow
people to download any file from the server.
maybe if you have time you can look at the script for me and find any flaws
;)
thanks.
----- Original Message -----
From: "Richard Davey" <rich@xxxxxxxxxxxxxxxx>
To: <php-general@xxxxxxxxxxxxx>
Sent: Tuesday, December 14, 2004 12:27 PM
Subject: Re: fopen/fpassthur
> Hello Sebastian,
>
> Tuesday, December 14, 2004, 4:19:31 PM, you wrote:
>
> S> header("Content-type: application/octet-stream");
> S> header("Content-disposition: attachment; filename=" .
$file['filename']);
> S> header("Content-transfer-encoding: binary");
> S> header("Content-length: " . filesize($file['path'] .
$file['filename']));
>
> I use something almost identical, except I upper-case the second words
> (Content-Type, Content-Disposition, etc). Not that I've found a
> browser in active use yet that cares less, but there we go.
>
> I'd fclose() when done, and no need to exit() - it's the last line of
> your script anyway.
>
> I hope you have some good data validation going on too :)
>
> S> is this the most practical way of doing it? i don't want to display
> S> file location.. the script seems to be working okay, but i was just
>
> It is the way to do it, yes. You may get some varying suggestions re:
> the correct headers to use though. But what you have will actually
> work just fine (as you've found).
>
> S> also, is it possible to insert a txt file on the fly if the file
> S> they're downloading is a ZIP file? if so, any ideas how?
>
> No, you cannot interrupt the stream. Or do anything after it for that
> matter - you are "simulating" an HTTP request for a file, that is what
> you're sending back. There is no way to inject something else into
> this single transmission. Think of another way around it.
>
> Best regards,
>
> Richard Davey
> --
> http://www.launchcode.co.uk - PHP Development Services
> "I am not young enough to know everything." - Oscar Wilde
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
