Help displaying a pdf file using php

[Darrell_G]

<?php
$fname = isset($_POST['fname']) ? $_POST['fname'] : "";
$lname = isset($_POST['lname']) ? $_POST['lname'] : "";
$file=(glob("Recordings/$fname*$lname.pdf")) ;
//header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="' . $file . '"'); 
header("Content-Length: " . filesize($file));
header('Content-Transfer-Encoding: binary'); 
header('Accept-Ranges: bytes'); 
// Read the file
//readfile($file);
print_r($file);   
?>

will print Recordings/John_Joe_Doe.pdf as expected. remove // from lines 5 & 11 and add // to line 12 and the browser opens a pdf page and says unable to load file.

Change line 4 to $file=("Recordings/$John_Joe_Doe.pdf"); and the pdf file will open in the browser.

Where am I going wrong?

[requinix]

1 hour ago, Darrell_G said:

will print Recordings/John_Joe_Doe.pdf as expected.

No. It will print "Array" and "[0] =>" and the filename. Think about what that might mean.

[Darrell_G]

I see that problem now. What can I do about it?

[ginerjm]

Try this:

$fname = isset($_POST['fname']) ? $_POST['fname'] : "";
$lname = isset($_POST['lname']) ? $_POST['lname'] : "";
$path = "Recordings/$fname*$lname.pdf";
echo "About to search in $path<br>";
$file=glob($path);

See what the path turns out to be and see what you are dealing with.

[requinix]

2 hours ago, Darrell_G said:

I see that problem now. What can I do about it?

Do you know what it means when you try to var_dump something and it outputs "Array"?

[Darrell_G]

Just now, requinix said:

Do you know what it means when you try to var_dump something and it outputs "Array"?

No. I'm a beginner. How do I get "John_Joe_Doe.pdf " into $file from "Array ( [0] => John_Joe_Doe.pdf )" in PHP ?

[requinix]

Start by learning about arrays. The syntax you need is simple and mentioned on the page, but you'll probably learn some other things talked about on the page as you look for it.

[Darrell_G]

On 1/30/2022 at 2:55 PM, requinix said:

Start by learning about arrays. The syntax you need is simple and mentioned on the page, but you'll probably learn some other things talked about on the page as you look for it.

I have exhausted everything I know what to do. I have gotten as far as I can. I have gotten from "Array ( [0] => John_Joe_Doe.pdf )" to "John_Joe_Doe.pdf1".

Nothing I do will get rid of the "1". Another clue pointing where to look would be apreciated.

[requinix]

What's your current code?

[Darrell_G]

1 hour ago, requinix said:

What's your current code?

I stumbled on the answer. I am still working through why it works. Here is my code.

<?php
$fname = isset($_POST['fname']) ? $_POST['fname'] : "";
$lname = isset($_POST['lname']) ? $_POST['lname'] : "";
$path = "$fname*$lname.pdf";
$a = glob($path);
$b=($a[0]);
$cd=($b);
$cc = ("$cd");   
header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="' . $cc . '"'); 
header("Content-Length: " . filesize($a));
header('Content-Transfer-Encoding: binary'); 
header('Accept-Ranges: bytes'); 
readfile($cc);
?>

[requinix]

20 hours ago, Darrell_G said:

I am still working through why it works.

Hard to know without being able to see what it was that didn't work.

But what you have isn't actually correct. And I don't just mean because of the significant remote file inclusion vulnerability you've created - one that would allow anyone to view any file that exists on your server, including PHP source code and configuration files and confidential files and really anything they can imagine.

$a = glob($path);
$b=($a[0]);
$cd=($b);
$cc = ("$cd");   

- $a will be an array of files matching the $path pattern. Good.
- $b will be the first file in the array. The parentheses don't do anything and are useless.
- $cd will be the same as $b. There's no point to having both $cd and $b. The parentheses don't do anything here either.
- $cc will be the value of $cd (a filename) put into a string (it was already a string) - or in other words, the same as $cd and $b. No point to this. And ditto about the parentheses here again.

Please, do yourself a favor and learn PHP. That way you will not have to stumble around anymore.

A non-obvious thing is your use of the Accept-Ranges header. Your script does not actually support ranges. Do not send this header because your server will be lying to the browser.

[Darrell_G]

1 hour ago, requinix said:

I don't just mean because of the significant remote file inclusion vulnerability you've created - one that would allow anyone to view any file that exists on your server, including PHP source code and configuration files and confidential files and really anything they can imagine.

I made the changes you recommended and it works. Where is the remote file inclusion vulnerability? What is the cause?

[Darrell_G]

20 minutes ago, Darrell_G said:

I made the changes you recommended and it works. Where is the remote file inclusion vulnerability? What is the cause?

I think the problem that I thought I had was caused by echo var_dump($a) and I was getting string(25) "John_Joe_Doe". I should have been using echo $a. 

Edited February 1, 2022 by Darrell_G

[requinix]

Actually, it looks like PHP itself protects you from the kind of attack I was thinking of. So that's nice. So not just any file can be read.

However your script will still let anyone read any PDF file that exists on your server. And it's simple: all they have to do is pass the right "fname" and "lname" values to create a $path that goes where they want it to go.

4 hours ago, Darrell_G said:

I think the problem that I thought I had was caused by echo var_dump($a) and I was getting string(25) "John_Joe_Doe". I should have been using echo $a. 

That would have been it, yes: var_dump would create some output on its own, then you would echo the true value that it returned (which would display as "1").