Make this little script more secure.

[quizzical]

Hi all. I need a help with a simple script (should be a simple matter for those who know php well)

 

I have this script that makes possible to download images from my website via text links.

 

<?php

// Make sure that the id query is sent, and that the file exists
if (!isset($_GET['id']) || !file_exists('smilies/amore/'.$_GET['id'])) {
    die('No valid image was supplied.');
}

header('Content-type: image/gif');
header('Content-Disposition: attachment; filename="'.basename($_GET['id']).'"'); // tell the browser how to handle the file
echo implode(null, file('amore/'.$_GET['id'])); // provide the image

?>

 

Problem is, I need to make it more secure because some people are using it to download my php sources. Something like restrict its use to certain folders.

 

How can I achieve this?

 

Thanks in advance

 

[GingerRobot]

You should validate that incoming request. You could, for example, ensure the id is a number. How are your image stored?

[quizzical]

my images are already in folders, you can see this script working here

http://quizzical.altervista.org/smilies.php

http://quizzical.altervista.org/smilies/amoredownloader.php?id=10.gif

The script is off now because people were looking at my source code in other folders.

How can I do a path check on the parameter ID? (I don't know php that much.)

[mattal999]

You could do this:

 

<?php

// Make sure that the id query is sent, and that the file exists
if (!isset($_GET['id']) || !file_exists('smilies/amore/'.$_GET['id'])) {
    die('No valid image was supplied.');
}

// Check if the ID ends with '.gif'
if(substr($_GET['id'], -4) !== ".gif") {
    die('This is not an image!');
}

header('Content-type: image/gif');
header('Content-Disposition: attachment; filename="'.basename($_GET['id']).'"'); // tell the browser how to handle the file
echo implode(null, file('amore/'.$_GET['id'])); // provide the image

?>