Re: Show filenames using Wildcards -- The glob() Solution!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rahul Sitaram Johari wrote:
> Ave,
> 
> You will probably find this code pretty inefficient, although it works
> flawlessly, but I ran into a problem with Internet Explorer 7, which instead
> of giving the "Save as" dialog box, tried opening the file within the
> Internet Explorer 7 window and displayed millions of bizarre characters on
> the screen. In order to bypass that, I used a force-download method. And I
> can tell you it's probably a crappy version of it. So I'm definitely
> interested in and anxious on getting improvement suggestions on the code.
> 
> Here's the code (and please don't kill me):

why would I kill you? what did you do? are you Donald Rumsfeld?

> 
> <?php

you need to santize $F, and stop using 'register_globals', and check the file
exists and other stuff like that (you know - check stuff!).

if (!isset($_GET['F']))
	die('bad dog!');

$F = '/path/to/you/files/'.basename($_GET['F']);


if (!file_exists($F))
	die('very bad dog!');

if (!is_readable($F))
	die('I am a bad dog!');


> header("Content-Description: File Transfer");
> header("Content-Type: application/force-download");
> header("Content-Disposition: attachment; filename=".basename($F));

// this will probably fix the IE problem - personally I always refer to
// Richard Lynch's rant on the subject of download headers when I get stuck
header("Content-Disposition: download; filename=".basename($F));
header("Content-Length: ".filesize($F));

> @readfile($F);

only php gods are entitled to use @ - the rest of us will get bitten in the
ass by a bad dog sooner or later. don't repress errors unless there is no other recourse
(0.00% of the time you come accross a situation where you can't do with out it -
this is not one of those times), instead check your input (and function return
values) properly and act accordingly

> ?>
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Rahul Sitaram Johari
> CEO, Twenty Four Seventy Nine Inc.
> 
> W: http://www.rahulsjohari.com
> E: sleepwalker@xxxxxxxxxxxxxxxx
> 
> ³I morti non sono piu soli ... The dead are no longer lonely²
> 
> 
> 
> On 3/30/07 10:31 AM, "Jochem Maas" <jochem@xxxxxxxxxxxxx> wrote:
> 
>> Rahul Sitaram Johari wrote:
>>> Ave,
>>>
>> ...
>>
>>> VALUE='takekey_download.php?F=vox/".basename($value)."'>".basename($value)."
>> show us the code for takekey_download.php, we may be able to save you
>> on a major security issue with regard to the way you use the F get parameter.
>>
>>> </option>";
>>>     }
>>>     ?>
>>>     </SELECT>
>>>     </FORM>    
>>>
>>> Thanks!
>>>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> Rahul Sitaram Johari
>>> CEO, Twenty Four Seventy Nine Inc.
>>>
>>> W: http://www.rahulsjohari.com
>>> E: sleepwalker@xxxxxxxxxxxxxxxx
>>>
>>> ³I morti non sono piu soli ... The dead are no longer lonely²
>>>
> 
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux