quizzical Posted April 27, 2009 Share Posted April 27, 2009 Hi all. I need a help with a simple script (should be a simple matter for those who know php well) I have this script that makes possible to download images from my website via text links. <?php // Make sure that the id query is sent, and that the file exists if (!isset($_GET['id']) || !file_exists('smilies/amore/'.$_GET['id'])) { die('No valid image was supplied.'); } header('Content-type: image/gif'); header('Content-Disposition: attachment; filename="'.basename($_GET['id']).'"'); // tell the browser how to handle the file echo implode(null, file('amore/'.$_GET['id'])); // provide the image ?> Problem is, I need to make it more secure because some people are using it to download my php sources. Something like restrict its use to certain folders. How can I achieve this? Thanks in advance Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted April 27, 2009 Share Posted April 27, 2009 You should validate that incoming request. You could, for example, ensure the id is a number. How are your image stored? Quote Link to comment Share on other sites More sharing options...
quizzical Posted April 27, 2009 Author Share Posted April 27, 2009 my images are already in folders, you can see this script working here http://quizzical.altervista.org/smilies.php http://quizzical.altervista.org/smilies/amoredownloader.php?id=10.gif The script is off now because people were looking at my source code in other folders. How can I do a path check on the parameter ID? (I don't know php that much.) Quote Link to comment Share on other sites More sharing options...
mattal999 Posted April 27, 2009 Share Posted April 27, 2009 You could do this: <?php // Make sure that the id query is sent, and that the file exists if (!isset($_GET['id']) || !file_exists('smilies/amore/'.$_GET['id'])) { die('No valid image was supplied.'); } // Check if the ID ends with '.gif' if(substr($_GET['id'], -4) !== ".gif") { die('This is not an image!'); } header('Content-type: image/gif'); header('Content-Disposition: attachment; filename="'.basename($_GET['id']).'"'); // tell the browser how to handle the file echo implode(null, file('amore/'.$_GET['id'])); // provide the image ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.