Jump to content
Larry Ullman's Book Forums

Recommended Posts

here is the original code

 

 

 

if(isset($_GET['id'])&&(strlen($_GET['id']) == 40)&&(substr($_GET['id'],0,1) !='.')){

$file =PDFS_DIR.$_GET['id'];

// if all 3 conditons are true then the path is defined

if(file_exists($file)&&(is_file($file))) {

//SQL for the path to the pdf

$q = 'SELECT title, description, file_name FROM pdfs WHERE tmp_name = "'.mysqli_real_escape_string($dbc, $_GET['id']) .'"';

$r = mysqli_query($dbc, $q);

if(mysqli_num_rows($r) == 1) { // if everything is ok

$row = mysqli_fetch_array($r, MYSQLI_ASSOC);

$valid = true;

[s]if(isset($_SESSION['user_not_expired'])){[/s]

header('Content-type:application/pdf');

header('Content-Disposition:inline; filename="' .$row['file_name'] . '"');

$fs = filesize($file);

header("Content-Length:$fs\n");

readfile($file);

exit();

 

 

}else{ // inactive account

$page_title = $row['title'];

include('./includes/header.html');

echo "<h3>$page_title</h3>";

if(isset($_SESSION['user_id'])) {

echo '<p class="error">Thank you for your interest in this content. Unfortunately your account has expired. Please <a href="renew.php">renew your account</a> in order to access this file</p>';

}else{

echo'<p class="error">Thank you for your interest in this content. You must be logged in as a registered user to view this file</p>';

}

echo"<div>{$row['description']}</div>";

include('./includes/footer.html');

}//End of user IF-ELSE

}// End of Mysqli_num_rows() IF

}// End of file_exists() IF

}// End of $_GET['id'] IF

if(!$valid){

// if not VALID

//Set $page_title to error and display an error message

$page_title = "Error";

include('./includes/header.html');

echo '<p class="error">This page has been accessed in error.</p>';

include('./includes/footer.html');

 

}

 

?>

 

the mark through code I did away with because I don't want people to pay to use this site and I have done away with this portion of the other pages so the only reason they couldn't access the pages is because they aren't logged in. I think the portion that has the line through it, which i removed or commented out is the right portion to remove to make sure that the only reason someone couldn't visit the page is because they aren't logged in. The question I guess I am asking did i think correctly or have I left a security loop hole of some sort.

 

thanks

for your help

Link to comment
Share on other sites

From what I gather, you are still wanting people to access the PDF files but ONLY if they are logged in? If so I think I have changed the code correctly below

<?php

if(isset($_GET['id'])&&(strlen($_GET['id']) == 40)&&(substr($_GET['id'],0,1) !='.')){

$file =PDFS_DIR.$_GET['id'];

// if all 3 conditons are true then the path is defined

if(file_exists($file)&&(is_file($file))) {

//SQL for the path to the pdf

$q = 'SELECT title, description, file_name FROM pdfs WHERE tmp_name = "'.mysqli_real_escape_string($dbc, $_GET['id']) .'"';

$r = mysqli_query($dbc, $q);

if(mysqli_num_rows($r) == 1) { // if everything is ok

$row = mysqli_fetch_array($r, MYSQLI_ASSOC);

$valid = true;

if(isset($_SESSION['user_id'])) { // instead of getting rid of this, check whether they are logged in instead

header('Content-type:application/pdf');

header('Content-Disposition:inline; filename="' .$row['file_name'] . '"');

$fs = filesize($file);

header("Content-Length:$fs\n");

readfile($file);

exit();

 

 

}else{ // if not logged in

$page_title = $row['title'];

include('./includes/header.html');

echo "<h3>$page_title</h3>";

if(isset($_SESSION['user_id'])) {

echo '<p class="error">Thank you for your interest in this content. Unfortunately your account has expired. Please <a href="renew.php">renew your account</a> in order to access this file</p>';

}else{

echo'<p class="error">Thank you for your interest in this content. You must be logged in as a registered user to view this file</p>';

} // You'd also need to get rid of this

echo"<div>{$row['description']}</div>";

include('./includes/footer.html');

}//End of user IF-ELSE - You need this, its the end of checking whether they are logged in

}// End of Mysqli_num_rows() IF - You'd also need this

}// End of file_exists() IF

}// End of $_GET['id'] IF

if(!$valid){

// if not VALID

//Set $page_title to error and display an error message

$page_title = "Error";

include('./includes/header.html');

echo '<p class="error">This page has been accessed in error.</p>';

include('./includes/footer.html');

 

}

 

?>

  • Upvote 1
Link to comment
Share on other sites

 Share

×
×
  • Create New...