jagguy Posted July 16, 2007 Share Posted July 16, 2007 Any advice on securing you directory for uploads and downloads I hardcode the dir to load to and download from. The user just passes the filename but my downloads get hijacked. I have no idea $file_path = $myvar."/files/" . $file; $file_extension = strtolower(substr(strrchr($file,"."),1)); if ((isset($file))&&(file_exists('files/'.$file))) { switch( $file_extension )//hijacked after this point???? { case "pdf": $ctype="application/pdf"; break; case "exe": $ctype="application/octet-stream"; break; case "zip": $ctype="application/zip"; break; case "doc": $ctype="application/msword"; break; case "xls": $ctype="application/vnd.ms-excel"; break; case "ppt": $ctype="application/vnd.ms-powerpoint"; break; case "gif": $ctype="image/gif"; break; case "png": $ctype="image/png"; break; case "jpg": $ctype="image/jpg"; break; default: $ctype="application/force-download"; Quote Link to comment Share on other sites More sharing options...
lur Posted July 16, 2007 Share Posted July 16, 2007 Check out basename(), realpath() and pathinfo(). Quote Link to comment Share on other sites More sharing options...
jagguy Posted July 17, 2007 Author Share Posted July 17, 2007 OK so my problem is variables being set correctly and verified and the program somehow redirecting(when i take the echo statements out) so i am confused about what to do still. Quote Link to comment Share on other sites More sharing options...
jagguy Posted July 17, 2007 Author Share Posted July 17, 2007 Forget the previous posts as i have got the error down to this. Warning</b>: filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for http://jagguy.ej.am/school/test/files/2linux.txt in <b>/home/jagguy/public_html/school/test/download2.php</b> on line <b>96 here is the code and the line 96 header("Content-type: application/force-download"); header("Content-Transfer-Encoding: Binary"); header("Content-length: ".filesize($file_path)); //warning here line 96 header("Content-Type: $ctype"); header('Content-Disposition: attachment; filename="' . $file . '"'); readfile("$file_path"); I dont get this problem on my pc so i dont know how to solve it. Quote Link to comment Share on other sites More sharing options...
jagguy Posted July 18, 2007 Author Share Posted July 18, 2007 I just used a @ command to suppress the warning. Quote Link to comment Share on other sites More sharing options...
jagguy Posted July 19, 2007 Author Share Posted July 19, 2007 Does anyone know how to fix this problem or i just suppress it? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.