nthomthom Posted September 13, 2009 Share Posted September 13, 2009 Hello everyone... I have a website that allows customers to view their invoices .pdf files. ANywho, these files are currently inside of a directory inside my public folder called "invoices" and inside of the invoice directory i have a bunch of pdf files with names such as "inv_20.pdf." The problem is when i link the customers to this it has a url of /invoices/inv_#.pdf This is an obvious security issue in that the customer can just change the url to whatever invoice# they wanted, and sure enough they can see someone elses invoice. My question is, how can i get it so that this must be the users invoice# for them to view that file.... Link to comment https://forums.phpfreaks.com/topic/174048-solved-files-inside-my-directory/ Share on other sites More sharing options...
l0ve2hat3 Posted September 13, 2009 Share Posted September 13, 2009 put your invoices in a directory not accessible to the web. example /home/user/invoices give Apache permission to read user this format for filenames... [filename]_[customer_number]_[invoice_number].[ext] example invoice_1_20.pdf invoice.php <?php session_start(); //set this on login $_SESSION['customer_number']=1; header('Content-type: application/pdf'); header('Content-Disposition: attachment; filename="invoice_".$_GET['invoice_number'].".pdf"'); readfile('/home/user/invoices/invoice_'.$_SESSION['customer_number'].'_'.$_GET['invoice_number'].'.pdf'); ?> so link to the page like so.. invoice.php?invoice_number=20 Link to comment https://forums.phpfreaks.com/topic/174048-solved-files-inside-my-directory/#findComment-917459 Share on other sites More sharing options...
nthomthom Posted September 15, 2009 Author Share Posted September 15, 2009 Okay. customers are already assigned a unique customer number which is stored in a mysql database table epay_clients /id. Link to comment https://forums.phpfreaks.com/topic/174048-solved-files-inside-my-directory/#findComment-918653 Share on other sites More sharing options...
nthomthom Posted September 15, 2009 Author Share Posted September 15, 2009 Also for some reason I get syntax errors with the code as wel Link to comment https://forums.phpfreaks.com/topic/174048-solved-files-inside-my-directory/#findComment-918673 Share on other sites More sharing options...
l0ve2hat3 Posted September 16, 2009 Share Posted September 16, 2009 <?php session_start(); //set this on login $_SESSION['customer_number']=1; header('Content-type: application/pdf'); header('Content-Disposition: attachment; filename="invoice_'.$_GET['invoice_number'].'.pdf"'); readfile('/home/user/invoices/invoice_'.$_SESSION['customer_number'].'_'.$_GET['invoice_number'].'.pdf'); ?> Link to comment https://forums.phpfreaks.com/topic/174048-solved-files-inside-my-directory/#findComment-919286 Share on other sites More sharing options...
nthomthom Posted September 17, 2009 Author Share Posted September 17, 2009 This worked great for what I am trying to do thank you very much! :-) Link to comment https://forums.phpfreaks.com/topic/174048-solved-files-inside-my-directory/#findComment-919913 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.