Rahul Sitaram Johari wrote: > Ave, > > You will probably find this code pretty inefficient, although it works > flawlessly, but I ran into a problem with Internet Explorer 7, which instead > of giving the "Save as" dialog box, tried opening the file within the > Internet Explorer 7 window and displayed millions of bizarre characters on > the screen. In order to bypass that, I used a force-download method. And I > can tell you it's probably a crappy version of it. So I'm definitely > interested in and anxious on getting improvement suggestions on the code. > > Here's the code (and please don't kill me): why would I kill you? what did you do? are you Donald Rumsfeld? > > <?php you need to santize $F, and stop using 'register_globals', and check the file exists and other stuff like that (you know - check stuff!). if (!isset($_GET['F'])) die('bad dog!'); $F = '/path/to/you/files/'.basename($_GET['F']); if (!file_exists($F)) die('very bad dog!'); if (!is_readable($F)) die('I am a bad dog!'); > header("Content-Description: File Transfer"); > header("Content-Type: application/force-download"); > header("Content-Disposition: attachment; filename=".basename($F)); // this will probably fix the IE problem - personally I always refer to // Richard Lynch's rant on the subject of download headers when I get stuck header("Content-Disposition: download; filename=".basename($F)); header("Content-Length: ".filesize($F)); > @readfile($F); only php gods are entitled to use @ - the rest of us will get bitten in the ass by a bad dog sooner or later. don't repress errors unless there is no other recourse (0.00% of the time you come accross a situation where you can't do with out it - this is not one of those times), instead check your input (and function return values) properly and act accordingly > ?> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Rahul Sitaram Johari > CEO, Twenty Four Seventy Nine Inc. > > W: http://www.rahulsjohari.com > E: sleepwalker@xxxxxxxxxxxxxxxx > > ³I morti non sono piu soli ... The dead are no longer lonely² > > > > On 3/30/07 10:31 AM, "Jochem Maas" <jochem@xxxxxxxxxxxxx> wrote: > >> Rahul Sitaram Johari wrote: >>> Ave, >>> >> ... >> >>> VALUE='takekey_download.php?F=vox/".basename($value)."'>".basename($value)." >> show us the code for takekey_download.php, we may be able to save you >> on a major security issue with regard to the way you use the F get parameter. >> >>> </option>"; >>> } >>> ?> >>> </SELECT> >>> </FORM> >>> >>> Thanks! >>> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> Rahul Sitaram Johari >>> CEO, Twenty Four Seventy Nine Inc. >>> >>> W: http://www.rahulsjohari.com >>> E: sleepwalker@xxxxxxxxxxxxxxxx >>> >>> ³I morti non sono piu soli ... The dead are no longer lonely² >>> > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php