Sebastian wrote: > Q> I hope you have some good data validation going on too :) > > I am not too sure about how secure it is. basically, the files are called > by > an ID > eg, download?type=file&id=3 > > so i query the db to get check if its a valid id and get the filename from > the db as well. > if its not found it errors out.. i was under the impression that is more > secure to get files by an id from db than doing something like > download?file=filename.zip > > i am worried about security as i am not even sure if this method would > allow > people to download any file from the server. > maybe if you have time you can look at the script for me and find any > flaws > ;) If you mean any of the potential downloads, you've got big problems. :-) What's to stop somebody from trying &id=4 and &id=5 and so on and getting *ALL* the files? If you mean they could download *any* file, even the ones you're not trying to let somebody download, it would be more efficient to see the script itself to point out flaws, rather than just surfing to the site and trying to break it. Though that can be instructive too, especially if you have acquired the same sort of tools your average script kiddie uses to try to break in and steal stuff. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
