On 3/30/07, Rahul Sitaram Johari <[EMAIL PROTECTED]> wrote:
Ave,You will probably find this code pretty inefficient, although it works flawlessly, but I ran into a problem with Internet Explorer 7, which instead of giving the "Save as" dialog box, tried opening the file within the Internet Explorer 7 window and displayed millions of bizarre characters on the screen. In order to bypass that, I used a force-download method. And I can tell you it's probably a crappy version of it. So I'm definitely interested in and anxious on getting improvement suggestions on the code. Here's the code (and please don't kill me): <?php header("Content-Description: File Transfer"); header("Content-Type: application/force-download"); header("Content-Disposition: attachment; filename=".basename($F)); @readfile($F); ?>
You are using this only :| Now go to: takekey_download.php?F=index.php That would output the source of the index.php file. This is really unsecure. even displaying the real URL to the user would be more secure :) I can't provide a real secure solution atm, but you should check for the directory set to vox atleast, or only get files from the vox dir. Tijnema
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rahul Sitaram Johari CEO, Twenty Four Seventy Nine Inc. W: http://www.rahulsjohari.com E: [EMAIL PROTECTED] ³I morti non sono piu soli ... The dead are no longer lonely² On 3/30/07 10:31 AM, "Jochem Maas" <[EMAIL PROTECTED]> wrote: > Rahul Sitaram Johari wrote: >> Ave, >> > > ... > >> VALUE='takekey_download.php?F=vox/".basename($value)."'>".basename($value)." > > show us the code for takekey_download.php, we may be able to save you > on a major security issue with regard to the way you use the F get parameter. > >> </option>"; >> } >> ?> >> </SELECT> >> </FORM> >> >> Thanks! >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Rahul Sitaram Johari >> CEO, Twenty Four Seventy Nine Inc. >> >> W: http://www.rahulsjohari.com >> E: [EMAIL PROTECTED] >> >> ³I morti non sono piu soli ... The dead are no longer lonely² >> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
