[SOLVED] Files inside my directory

[nthomthom]

Hello everyone... I have a website that allows customers to view their invoices .pdf files. ANywho, these files are currently inside of a directory inside my public folder called "invoices" and inside of the invoice directory i have a bunch of pdf files with names such as "inv_20.pdf." The problem is when i link the customers to this it has a url of

 

/invoices/inv_#.pdf

 

This is an obvious security issue in that the customer can just change the url to whatever invoice# they wanted, and sure enough they can see someone elses invoice. My question is, how can i get it so that this must be the users invoice# for them to view that file....

[l0ve2hat3]

put your invoices in a directory not accessible to the web. example /home/user/invoices

give Apache permission to read

 

user this format for filenames... [filename]_[customer_number]_[invoice_number].[ext]

example invoice_1_20.pdf

 

invoice.php

<?php
session_start();
//set this on login
$_SESSION['customer_number']=1;





header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename="invoice_".$_GET['invoice_number'].".pdf"');
readfile('/home/user/invoices/invoice_'.$_SESSION['customer_number'].'_'.$_GET['invoice_number'].'.pdf');
?>

 

so link to the page like so.. invoice.php?invoice_number=20

[nthomthom]

Okay. customers are already assigned a unique customer number which is stored in a mysql database table epay_clients /id.

[nthomthom]

Also for some reason I get syntax errors with the code as wel

[l0ve2hat3]

<?php
session_start();
//set this on login
$_SESSION['customer_number']=1;





header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename="invoice_'.$_GET['invoice_number'].'.pdf"');
readfile('/home/user/invoices/invoice_'.$_SESSION['customer_number'].'_'.$_GET['invoice_number'].'.pdf');
?>

[nthomthom]

This worked great for what I am trying to do thank you very much! :-)