Darrell_G Posted January 30, 2022 Share Posted January 30, 2022 <?php $fname = isset($_POST['fname']) ? $_POST['fname'] : ""; $lname = isset($_POST['lname']) ? $_POST['lname'] : ""; $file=(glob("Recordings/$fname*$lname.pdf")) ; //header('Content-type: application/pdf'); header('Content-Disposition: inline; filename="' . $file . '"'); header("Content-Length: " . filesize($file)); header('Content-Transfer-Encoding: binary'); header('Accept-Ranges: bytes'); // Read the file //readfile($file); print_r($file); ?> will print Recordings/John_Joe_Doe.pdf as expected. remove // from lines 5 & 11 and add // to line 12 and the browser opens a pdf page and says unable to load file. Change line 4 to $file=("Recordings/$John_Joe_Doe.pdf"); and the pdf file will open in the browser. Where am I going wrong? Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/ Share on other sites More sharing options...
requinix Posted January 30, 2022 Share Posted January 30, 2022 1 hour ago, Darrell_G said: will print Recordings/John_Joe_Doe.pdf as expected. No. It will print "Array" and "[0] =>" and the filename. Think about what that might mean. Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593726 Share on other sites More sharing options...
Darrell_G Posted January 30, 2022 Author Share Posted January 30, 2022 I see that problem now. What can I do about it? Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593735 Share on other sites More sharing options...
ginerjm Posted January 30, 2022 Share Posted January 30, 2022 Try this: $fname = isset($_POST['fname']) ? $_POST['fname'] : ""; $lname = isset($_POST['lname']) ? $_POST['lname'] : ""; $path = "Recordings/$fname*$lname.pdf"; echo "About to search in $path<br>"; $file=glob($path); See what the path turns out to be and see what you are dealing with. Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593736 Share on other sites More sharing options...
requinix Posted January 30, 2022 Share Posted January 30, 2022 2 hours ago, Darrell_G said: I see that problem now. What can I do about it? Do you know what it means when you try to var_dump something and it outputs "Array"? Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593748 Share on other sites More sharing options...
Darrell_G Posted January 30, 2022 Author Share Posted January 30, 2022 Just now, requinix said: Do you know what it means when you try to var_dump something and it outputs "Array"? No. I'm a beginner. How do I get "John_Joe_Doe.pdf " into $file from "Array ( [0] => John_Joe_Doe.pdf )" in PHP ? Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593749 Share on other sites More sharing options...
requinix Posted January 30, 2022 Share Posted January 30, 2022 Start by learning about arrays. The syntax you need is simple and mentioned on the page, but you'll probably learn some other things talked about on the page as you look for it. Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593753 Share on other sites More sharing options...
Darrell_G Posted January 31, 2022 Author Share Posted January 31, 2022 On 1/30/2022 at 2:55 PM, requinix said: Start by learning about arrays. The syntax you need is simple and mentioned on the page, but you'll probably learn some other things talked about on the page as you look for it. I have exhausted everything I know what to do. I have gotten as far as I can. I have gotten from "Array ( [0] => John_Joe_Doe.pdf )" to "John_Joe_Doe.pdf1". Nothing I do will get rid of the "1". Another clue pointing where to look would be apreciated. Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593776 Share on other sites More sharing options...
requinix Posted February 1, 2022 Share Posted February 1, 2022 What's your current code? Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593777 Share on other sites More sharing options...
Darrell_G Posted February 1, 2022 Author Share Posted February 1, 2022 1 hour ago, requinix said: What's your current code? I stumbled on the answer. I am still working through why it works. Here is my code. <?php $fname = isset($_POST['fname']) ? $_POST['fname'] : ""; $lname = isset($_POST['lname']) ? $_POST['lname'] : ""; $path = "$fname*$lname.pdf"; $a = glob($path); $b=($a[0]); $cd=($b); $cc = ("$cd"); header('Content-type: application/pdf'); header('Content-Disposition: inline; filename="' . $cc . '"'); header("Content-Length: " . filesize($a)); header('Content-Transfer-Encoding: binary'); header('Accept-Ranges: bytes'); readfile($cc); ?> Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593779 Share on other sites More sharing options...
requinix Posted February 1, 2022 Share Posted February 1, 2022 20 hours ago, Darrell_G said: I am still working through why it works. Hard to know without being able to see what it was that didn't work. But what you have isn't actually correct. And I don't just mean because of the significant remote file inclusion vulnerability you've created - one that would allow anyone to view any file that exists on your server, including PHP source code and configuration files and confidential files and really anything they can imagine. $a = glob($path); $b=($a[0]); $cd=($b); $cc = ("$cd"); - $a will be an array of files matching the $path pattern. Good. - $b will be the first file in the array. The parentheses don't do anything and are useless. - $cd will be the same as $b. There's no point to having both $cd and $b. The parentheses don't do anything here either. - $cc will be the value of $cd (a filename) put into a string (it was already a string) - or in other words, the same as $cd and $b. No point to this. And ditto about the parentheses here again. Please, do yourself a favor and learn PHP. That way you will not have to stumble around anymore. A non-obvious thing is your use of the Accept-Ranges header. Your script does not actually support ranges. Do not send this header because your server will be lying to the browser. Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593791 Share on other sites More sharing options...
Darrell_G Posted February 1, 2022 Author Share Posted February 1, 2022 1 hour ago, requinix said: I don't just mean because of the significant remote file inclusion vulnerability you've created - one that would allow anyone to view any file that exists on your server, including PHP source code and configuration files and confidential files and really anything they can imagine. I made the changes you recommended and it works. Where is the remote file inclusion vulnerability? What is the cause? Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593794 Share on other sites More sharing options...
Darrell_G Posted February 1, 2022 Author Share Posted February 1, 2022 (edited) 20 minutes ago, Darrell_G said: I made the changes you recommended and it works. Where is the remote file inclusion vulnerability? What is the cause? I think the problem that I thought I had was caused by echo var_dump($a) and I was getting string(25) "John_Joe_Doe". I should have been using echo $a. Edited February 1, 2022 by Darrell_G Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593795 Share on other sites More sharing options...
requinix Posted February 2, 2022 Share Posted February 2, 2022 Actually, it looks like PHP itself protects you from the kind of attack I was thinking of. So that's nice. So not just any file can be read. However your script will still let anyone read any PDF file that exists on your server. And it's simple: all they have to do is pass the right "fname" and "lname" values to create a $path that goes where they want it to go. 4 hours ago, Darrell_G said: I think the problem that I thought I had was caused by echo var_dump($a) and I was getting string(25) "John_Joe_Doe". I should have been using echo $a. That would have been it, yes: var_dump would create some output on its own, then you would echo the true value that it returned (which would display as "1"). Quote Link to comment https://forums.phpfreaks.com/topic/314481-help-displaying-a-pdf-file-using-php/#findComment-1593799 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.