Re: Routing downloads through PHP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(Reply beneath quotes)



Richard Lynch wrote:
On Tue, February 14, 2006 3:41 pm, J_K9 wrote:
<?

$fileid = $_GET['file_id'];

$filearray = array(
    "a0"=>"data/download1.zip",
    "a1"=>"data/download2.zip");

$location = $filearray['a'.$fileid];

if($location!='') {

    header("LOCATION: $location");

}

?>
----------------

But when I send it: http://example.com/download.php?file_id=0 , I get
the following error-


Warning: Cannot modify header information - headers already sent by
(output started at /public_html/download.php:6) in
/public_html/download.php on line 18


Any idea what's going wrong?

Line 6 was printing something out, or has an error message being printed.

The other wrong thing is that you should use "Location: " and not
"LOCATION: " (the capitalization is, I think, actually significant, at
least in practice)


Line 6 was the beginning of the PHP script: <?php. I have also changed the "LOCATION" references to "Location", but that has not fixed the error (although as you said, I might as well get into good habits now ;)

And, finally, if you don't want people to know where the files are,
then sending a Location: header is the wrong way to go.  They'll
possibly end up bookmarking the result URL, which will bypass your URL
that is supposed to be hiding the location in the first place.

You would want to do something like:
readfile($filearray['a' . $_REQUEST['file_id']]);

Using the readfile function, I got an even more confusing error. Isn't readfile() just piping the file to stdout? Because with this code -

 <?php

  $filearray = array(
      "a0"=>"data/download1.zip",
      "a1"=>"data/download2.zip");

 readfile($filearray['a' . $_REQUEST['file_id']]);

 ?>

- I get a series of random extended ASCII characters.


Oh, the error message on line 6 is probably about using an
un-initialized variable $fileid, since it's really $file_id.

And you should have turned off register_globals, so it's really really
$_REQUEST['file_id'] or $_GET['file_id'] if you insist on separating
GET and POST parameters, though I've never quite understood why some
insist on doing that, since they are equally open to attack...

In particular, the reason you really really really want
register_globals OFF is that somebody could do this:

http://example.com/download.php?filearray[a3]=/etc/passwd&file_id=3

[*]


Ah,I now see why register_globals should be turned off. I have read about disabling it (it is currently enabled) either from within a .htaccess file (although I'm not sure where) or by changing a line in php.ini. As I am running a LAMP server and have not had too much experience with PHP before, could you please tell me how I can disable them? I've also got magic_quotes_gpc on, although I haven't had the time to check why that's a risk.


Where have I used register_globals anyway, just so that I can avoid using them in the future? :)

Thanks for your help - and I hope we eventually find a way of making this work ;)

J_K9

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux