Ave, I'll add the Checking stuff immediately - I guess that was really just laziness on my part to get the job done. I'll make sure he's being a good dog and behaving himself ;) Will definitely get rid of '@'. Still not sure, as Tijnema pointed, if this is the most secure way to do this. I'm sure there are security flaws in this code. All files in the vox folder are publicly accessible so I'm not majorly concerned about it, but at the same time, it would be a good opportunity to strengthen security on this. Thanks! On 3/30/07 10:55 AM, "Jochem Maas" <jochem@xxxxxxxxxxxxx> wrote: > Rahul Sitaram Johari wrote: >> Ave, >> >> You will probably find this code pretty inefficient, although it works >> flawlessly, but I ran into a problem with Internet Explorer 7, which instead >> of giving the "Save as" dialog box, tried opening the file within the >> Internet Explorer 7 window and displayed millions of bizarre characters on >> the screen. In order to bypass that, I used a force-download method. And I >> can tell you it's probably a crappy version of it. So I'm definitely >> interested in and anxious on getting improvement suggestions on the code. >> >> Here's the code (and please don't kill me): > > why would I kill you? what did you do? are you Donald Rumsfeld? > >> >> <?php > > you need to santize $F, and stop using 'register_globals', and check the file > exists and other stuff like that (you know - check stuff!). > > if (!isset($_GET['F'])) > die('bad dog!'); > > $F = '/path/to/you/files/'.basename($_GET['F']); > > > if (!file_exists($F)) > die('very bad dog!'); > > if (!is_readable($F)) > die('I am a bad dog!'); > > >> header("Content-Description: File Transfer"); >> header("Content-Type: application/force-download"); >> header("Content-Disposition: attachment; filename=".basename($F)); > > // this will probably fix the IE problem - personally I always refer to > // Richard Lynch's rant on the subject of download headers when I get stuck > header("Content-Disposition: download; filename=".basename($F)); > header("Content-Length: ".filesize($F)); > >> @readfile($F); > > only php gods are entitled to use @ - the rest of us will get bitten in the > ass by a bad dog sooner or later. don't repress errors unless there is no > other recourse > (0.00% of the time you come accross a situation where you can't do with out it > - > this is not one of those times), instead check your input (and function return > values) properly and act accordingly > >> ?> >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Rahul Sitaram Johari >> CEO, Twenty Four Seventy Nine Inc. >> >> W: http://www.rahulsjohari.com >> E: sleepwalker@xxxxxxxxxxxxxxxx >> >> ³I morti non sono piu soli ... The dead are no longer lonely² >> >> >> >> On 3/30/07 10:31 AM, "Jochem Maas" <jochem@xxxxxxxxxxxxx> wrote: >> >>> Rahul Sitaram Johari wrote: >>>> Ave, >>>> >>> ... >>> >>>> VALUE='takekey_download.php?F=vox/".basename($value)."'>".basename($value).>>>> " >>> show us the code for takekey_download.php, we may be able to save you >>> on a major security issue with regard to the way you use the F get >>> parameter. >>> >>>> </option>"; >>>> } >>>> ?> >>>> </SELECT> >>>> </FORM> >>>> >>>> Thanks! >>>> >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> Rahul Sitaram Johari >>>> CEO, Twenty Four Seventy Nine Inc. >>>> >>>> W: http://www.rahulsjohari.com >>>> E: sleepwalker@xxxxxxxxxxxxxxxx >>>> >>>> ³I morti non sono piu soli ... The dead are no longer lonely² >>>> >> >> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php