nick Posted August 29, 2011 Share Posted August 29, 2011 here is the original code if(isset($_GET['id'])&&(strlen($_GET['id']) == 40)&&(substr($_GET['id'],0,1) !='.')){ $file =PDFS_DIR.$_GET['id']; // if all 3 conditons are true then the path is defined if(file_exists($file)&&(is_file($file))) { //SQL for the path to the pdf $q = 'SELECT title, description, file_name FROM pdfs WHERE tmp_name = "'.mysqli_real_escape_string($dbc, $_GET['id']) .'"'; $r = mysqli_query($dbc, $q); if(mysqli_num_rows($r) == 1) { // if everything is ok $row = mysqli_fetch_array($r, MYSQLI_ASSOC); $valid = true; [s]if(isset($_SESSION['user_not_expired'])){[/s] header('Content-type:application/pdf'); header('Content-Disposition:inline; filename="' .$row['file_name'] . '"'); $fs = filesize($file); header("Content-Length:$fs\n"); readfile($file); exit(); }else{ // inactive account $page_title = $row['title']; include('./includes/header.html'); echo "<h3>$page_title</h3>"; if(isset($_SESSION['user_id'])) { echo '<p class="error">Thank you for your interest in this content. Unfortunately your account has expired. Please <a href="renew.php">renew your account</a> in order to access this file</p>'; }else{ echo'<p class="error">Thank you for your interest in this content. You must be logged in as a registered user to view this file</p>'; } echo"<div>{$row['description']}</div>"; include('./includes/footer.html'); }//End of user IF-ELSE }// End of Mysqli_num_rows() IF }// End of file_exists() IF }// End of $_GET['id'] IF if(!$valid){ // if not VALID //Set $page_title to error and display an error message $page_title = "Error"; include('./includes/header.html'); echo '<p class="error">This page has been accessed in error.</p>'; include('./includes/footer.html'); } ?> the mark through code I did away with because I don't want people to pay to use this site and I have done away with this portion of the other pages so the only reason they couldn't access the pages is because they aren't logged in. I think the portion that has the line through it, which i removed or commented out is the right portion to remove to make sure that the only reason someone couldn't visit the page is because they aren't logged in. The question I guess I am asking did i think correctly or have I left a security loop hole of some sort. thanks for your help Link to comment Share on other sites More sharing options...
Craig-UK Posted August 31, 2011 Share Posted August 31, 2011 From what I gather, you are still wanting people to access the PDF files but ONLY if they are logged in? If so I think I have changed the code correctly below <?php if(isset($_GET['id'])&&(strlen($_GET['id']) == 40)&&(substr($_GET['id'],0,1) !='.')){ $file =PDFS_DIR.$_GET['id']; // if all 3 conditons are true then the path is defined if(file_exists($file)&&(is_file($file))) { //SQL for the path to the pdf $q = 'SELECT title, description, file_name FROM pdfs WHERE tmp_name = "'.mysqli_real_escape_string($dbc, $_GET['id']) .'"'; $r = mysqli_query($dbc, $q); if(mysqli_num_rows($r) == 1) { // if everything is ok $row = mysqli_fetch_array($r, MYSQLI_ASSOC); $valid = true; if(isset($_SESSION['user_id'])) { // instead of getting rid of this, check whether they are logged in instead header('Content-type:application/pdf'); header('Content-Disposition:inline; filename="' .$row['file_name'] . '"'); $fs = filesize($file); header("Content-Length:$fs\n"); readfile($file); exit(); }else{ // if not logged in $page_title = $row['title']; include('./includes/header.html'); echo "<h3>$page_title</h3>"; if(isset($_SESSION['user_id'])) { echo '<p class="error">Thank you for your interest in this content. Unfortunately your account has expired. Please <a href="renew.php">renew your account</a> in order to access this file</p>'; }else{ echo'<p class="error">Thank you for your interest in this content. You must be logged in as a registered user to view this file</p>'; } // You'd also need to get rid of this echo"<div>{$row['description']}</div>"; include('./includes/footer.html'); }//End of user IF-ELSE - You need this, its the end of checking whether they are logged in }// End of Mysqli_num_rows() IF - You'd also need this }// End of file_exists() IF }// End of $_GET['id'] IF if(!$valid){ // if not VALID //Set $page_title to error and display an error message $page_title = "Error"; include('./includes/header.html'); echo '<p class="error">This page has been accessed in error.</p>'; include('./includes/footer.html'); } ?> 1 Link to comment Share on other sites More sharing options...
Recommended Posts