Jump to content

[SOLVED] Files inside my directory


nthomthom

Recommended Posts

Hello everyone... I have a website that allows customers to view their invoices .pdf files. ANywho, these files are currently inside of a directory inside my public folder called "invoices" and inside of the invoice directory i have a bunch of pdf files with names such as "inv_20.pdf." The problem is when i link the customers to this it has a url of

 

/invoices/inv_#.pdf

 

This is an obvious security issue in that the customer can just change the url to whatever invoice# they wanted, and sure enough they can see someone elses invoice. My question is, how can i get it so that this must be the users invoice# for them to view that file....

Link to comment
https://forums.phpfreaks.com/topic/174048-solved-files-inside-my-directory/
Share on other sites

put your invoices in a directory not accessible to the web. example /home/user/invoices

give Apache permission to read

 

user this format for filenames... [filename]_[customer_number]_[invoice_number].[ext]

example invoice_1_20.pdf

 

invoice.php

<?php
session_start();
//set this on login
$_SESSION['customer_number']=1;





header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename="invoice_".$_GET['invoice_number'].".pdf"');
readfile('/home/user/invoices/invoice_'.$_SESSION['customer_number'].'_'.$_GET['invoice_number'].'.pdf');
?>

 

so link to the page like so.. invoice.php?invoice_number=20

<?php
session_start();
//set this on login
$_SESSION['customer_number']=1;





header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename="invoice_'.$_GET['invoice_number'].'.pdf"');
readfile('/home/user/invoices/invoice_'.$_SESSION['customer_number'].'_'.$_GET['invoice_number'].'.pdf');
?>

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.