On Tue, February 14, 2006 3:41 pm, J_K9 wrote:
> <?
>
> $fileid = $_GET['file_id'];
>
> $filearray = array(
> "a0"=>"data/download1.zip",
> "a1"=>"data/download2.zip");
>
> $location = $filearray['a'.$fileid];
>
> if($location!='') {
>
> header("LOCATION: $location");
>
> }
>
> ?>
> ----------------
>
> But when I send it: http://example.com/download.php?file_id=0 , I get
> the following error-
>
>
> Warning: Cannot modify header information - headers already sent by
> (output started at /public_html/download.php:6) in
> /public_html/download.php on line 18
>
>
> Any idea what's going wrong?
Line 6 was printing something out, or has an error message being printed.
The other wrong thing is that you should use "Location: " and not
"LOCATION: " (the capitalization is, I think, actually significant, at
least in practice)
And, finally, if you don't want people to know where the files are,
then sending a Location: header is the wrong way to go. They'll
possibly end up bookmarking the result URL, which will bypass your URL
that is supposed to be hiding the location in the first place.
You would want to do something like:
readfile($filearray['a' . $_REQUEST['file_id']]);
Oh, the error message on line 6 is probably about using an
un-initialized variable $fileid, since it's really $file_id.
And you should have turned off register_globals, so it's really really
$_REQUEST['file_id'] or $_GET['file_id'] if you insist on separating
GET and POST parameters, though I've never quite understood why some
insist on doing that, since they are equally open to attack...
In particular, the reason you really really really want
register_globals OFF is that somebody could do this:
http://example.com/download.php?filearray[a3]=/etc/passwd&file_id=3
[*]
If you have register_globals ON, I have just polluted your
$filearray[] with the key/value pair I need to snag your computer's
passwd file, which I can peruse at my leisure for known passwords from
a dictionary attack, and later I can login to your computer and commit
various acts of destruction...
Did I mention you REALLY REALLY REALLY want register_globals turned
*OFF*!!!
* Technically, I should URLencode the /etc/passwd, but I suspect it
will work either way, and didn't want to confuse the reader. YMMV
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
