Jump to content
Larry Ullman's Book Forums

Recommended Posts

here is the original code

 

 

 

if(isset($_GET['id'])&&(strlen($_GET['id']) == 40)&&(substr($_GET['id'],0,1) !='.')){

$file =PDFS_DIR.$_GET['id'];

// if all 3 conditons are true then the path is defined

if(file_exists($file)&&(is_file($file))) {

//SQL for the path to the pdf

$q = 'SELECT title, description, file_name FROM pdfs WHERE tmp_name = "'.mysqli_real_escape_string($dbc, $_GET['id']) .'"';

$r = mysqli_query($dbc, $q);

if(mysqli_num_rows($r) == 1) { // if everything is ok

$row = mysqli_fetch_array($r, MYSQLI_ASSOC);

$valid = true;

[s]if(isset($_SESSION['user_not_expired'])){[/s]

header('Content-type:application/pdf');

header('Content-Disposition:inline; filename="' .$row['file_name'] . '"');

$fs = filesize($file);

header("Content-Length:$fs\n");

readfile($file);

exit();

 

 

}else{ // inactive account

$page_title = $row['title'];

include('./includes/header.html');

echo "<h3>$page_title</h3>";

if(isset($_SESSION['user_id'])) {

echo '<p class="error">Thank you for your interest in this content. Unfortunately your account has expired. Please <a href="renew.php">renew your account</a> in order to access this file</p>';

}else{

echo'<p class="error">Thank you for your interest in this content. You must be logged in as a registered user to view this file</p>';

}

echo"<div>{$row['description']}</div>";

include('./includes/footer.html');

}//End of user IF-ELSE

}// End of Mysqli_num_rows() IF

}// End of file_exists() IF

}// End of $_GET['id'] IF

if(!$valid){

// if not VALID

//Set $page_title to error and display an error message

$page_title = "Error";

include('./includes/header.html');

echo '<p class="error">This page has been accessed in error.</p>';

include('./includes/footer.html');

 

}

 

?>

 

the mark through code I did away with because I don't want people to pay to use this site and I have done away with this portion of the other pages so the only reason they couldn't access the pages is because they aren't logged in. I think the portion that has the line through it, which i removed or commented out is the right portion to remove to make sure that the only reason someone couldn't visit the page is because they aren't logged in. The question I guess I am asking did i think correctly or have I left a security loop hole of some sort.

 

thanks

for your help

Share this post


Link to post
Share on other sites

From what I gather, you are still wanting people to access the PDF files but ONLY if they are logged in? If so I think I have changed the code correctly below

<?php

if(isset($_GET['id'])&&(strlen($_GET['id']) == 40)&&(substr($_GET['id'],0,1) !='.')){

$file =PDFS_DIR.$_GET['id'];

// if all 3 conditons are true then the path is defined

if(file_exists($file)&&(is_file($file))) {

//SQL for the path to the pdf

$q = 'SELECT title, description, file_name FROM pdfs WHERE tmp_name = "'.mysqli_real_escape_string($dbc, $_GET['id']) .'"';

$r = mysqli_query($dbc, $q);

if(mysqli_num_rows($r) == 1) { // if everything is ok

$row = mysqli_fetch_array($r, MYSQLI_ASSOC);

$valid = true;

if(isset($_SESSION['user_id'])) { // instead of getting rid of this, check whether they are logged in instead

header('Content-type:application/pdf');

header('Content-Disposition:inline; filename="' .$row['file_name'] . '"');

$fs = filesize($file);

header("Content-Length:$fs\n");

readfile($file);

exit();

 

 

}else{ // if not logged in

$page_title = $row['title'];

include('./includes/header.html');

echo "<h3>$page_title</h3>";

if(isset($_SESSION['user_id'])) {

echo '<p class="error">Thank you for your interest in this content. Unfortunately your account has expired. Please <a href="renew.php">renew your account</a> in order to access this file</p>';

}else{

echo'<p class="error">Thank you for your interest in this content. You must be logged in as a registered user to view this file</p>';

} // You'd also need to get rid of this

echo"<div>{$row['description']}</div>";

include('./includes/footer.html');

}//End of user IF-ELSE - You need this, its the end of checking whether they are logged in

}// End of Mysqli_num_rows() IF - You'd also need this

}// End of file_exists() IF

}// End of $_GET['id'] IF

if(!$valid){

// if not VALID

//Set $page_title to error and display an error message

$page_title = "Error";

include('./includes/header.html');

echo '<p class="error">This page has been accessed in error.</p>';

include('./includes/footer.html');

 

}

 

?>

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...