Hello, I'm new to php and have googled around but still cannot find answers to my questions on this script. Please help me. Questions: Similar to the poster I got this error: Parse error: syntax error, unexpected T_STRING in /home/bfplanet/public_html/download/download.php on line 19 This is line 19: if (substr($file, 0, 1) == '.' ¦¦ strpos($file, '..') > 0 ¦¦ substr($file, 0, 1) == '/' ¦¦ strpos($file, '/') > 0){ Question: 1 - Why does that error appear? 2 - After commenting out the error, the script says "no file found" even when I pass in me.zip. Currently it stored on www.test.com/me.zip Where should this file be stored? 3 - I tried using the recommended usage but still no avail. Script location - http://www.webmasterworld.com/php/3580368.htm <?php // Usage: <a href="download.php?file=test.txt&category=test">Download</a> // Path to downloadable files (will not be revealed to users so they will never know your file's real address) $hiddenPath = "secretfiles/"; // VARIABLES if (!empty($_GET['file'])){ $file = str_replace('%20', ' ', $_GET['file']); $category = (!empty($_GET['category'])) ? $_GET['category'] . '/' : ''; } $file_real = $hiddenPath . $category . $file; $ip = $_SERVER['REMOTE_ADDR']; // Check to see if the download script was called if (basename($_SERVER['PHP_SELF']) == 'download3.php'){ if ($_SERVER['QUERY_STRING'] != null){ // HACK ATTEMPT CHECK // Make sure the request isn't escaping to another directory if (substr($file, 0, 1) == '.' ¦¦ strpos($file, '..') > 0 ¦¦ substr($file, 0, 1) == '/' ¦¦ strpos($file, '/') > 0){ // Display hack attempt error echo("Hack attempt detected!"); die(); } // If requested file exists if (file_exists($file_real)){ // Get extension of requested file $extension = strtolower(substr(strrchr($file, "."), 1)); // Determine correct MIME type switch($extension){ case "asf": $type = "video/x-ms-asf"; break; case "avi": $type = "video/x-msvideo"; break; case "exe": $type = "application/octet-stream"; break; case "mov": $type = "video/quicktime"; break; case "mp3": $type = "audio/mpeg"; break; case "mpg": $type = "video/mpeg"; break; case "mpeg": $type = "video/mpeg"; break; case "rar": $type = "encoding/x-compress"; break; case "txt": $type = "text/plain"; break; case "wav": $type = "audio/wav"; break; case "wma": $type = "audio/x-ms-wma"; break; case "wmv": $type = "video/x-ms-wmv"; break; case "zip": $type = "application/x-zip-compressed"; break; default: $type = "application/force-download"; break; } // Fix IE bug [0] $header_file = (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) ? preg_replace('/\./', '%2e', $file, substr_count($file, '.') - 1) : $file; // Prepare headers header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: public", false); header("Content-Description: File Transfer"); header("Content-Type: " . $type); header("Accept-Ranges: bytes"); header("Content-Disposition: attachment; filename=\"" . $header_file . "\";"); header("Content-Transfer-Encoding: binary"); header("Content-Length: " . filesize($file_real)); // Send file for download if ($stream = fopen($file_real, 'rb')){ while(!feof($stream) && connection_status() == 0){ //reset time limit for big files set_time_limit(0); print(fread($stream,1024*8)); flush(); } fclose($stream); } }else{ // Requested file does not exist (File not found) echo("Requested file does not exist"); die(); } } } ?> PHP:
Well, you're not using the correct OR modifier: if (substr($file, 0, 1) == '.' || strpos($file, '..') > 0 || substr($file, 0, 1) == '/' || strpos($file, '/') > 0){ PHP: Notice that || is different from ¦¦
if you're using php5 just use the word 'or' if (substr($file, 0, 1) == '.' or strpos($file, '..') > 0 or substr($file, 0, 1) == '/' or strpos($file, '/') > 0){ PHP:
Thanks for the tips! So one more follow up question. Once I have this working will it prevent people from accessing the file linked on a message board using a direct url like: www.testsite.com/download.php?file=test.txt&category=test The reason I ask is because I'm confused by this line: if (basename($_SERVER['PHP_SELF']) == 'download3.php'){ if ($_SERVER['QUERY_STRING'] != null){ From what I can tell it says if means $_SERVER['PHP_SELF'] would return download.php. So in all cases it would never return download3.php. So everytime would be a hack message. Thoughts?