Peter Lauri wrote:
Best group member,
This code works fine on my local machine:
$Query = sprintf("SELECT * FROM filestorage WHERE id=%s LIMIT 1",
$_GET['fileid']);
$Result = mysql_query($Query);
if (mysql_num_rows ($Result)>0) {
$Row = @mysql_fetch_array ($Result);
$file_type = $Row["filetype"];
$file = $Row["filedata"];
header ("Content-type: $file_type");
header("Content-Disposition: attachment;
filename=fil".substr($Row['filename'], strrpos($Row['filename'], '.')));
'.')).'"
print $file;
}
But when I run it on my server it does not start the download, and the file
name is the location of the script instead of what I state as file name.
The first thing you should do is read this site:
http://www.phpsec.org
I could pass all sorts of bad things to $_GET['fileid'] and it will ruin
your database.
At least make it:
(int)$_GET['fileid'];
so if it's non-numeric, it will get converted to 0.
Can we assume the database is exactly the same and it's not that
$row['filename'] has the wrong data in it?
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
