Downloads

[Skull]

well here's a script I created for the download section on my site, it basically checks if they're logged in, if they are logged in it'll carry on, if not they'll go to the log in page. Then once thats done it'll check if the file exists, if it doesn't it'll return an error, if not it'll carry on. Then it'll check if you have access to that area, if you don't it'll return an error, if not it'll carry on.

PHP Code:

if($_COOKIE['username'] == ""){
header("Location: login.php");
}else{
$file = $_REQUEST['type']."/".$_REQUEST['area']."/".$_REQUEST['filename'];
if(file_exists($file)){
$shortname=basename($file);
$size=filesize($file);
//set header
header("Content-Type: application/save");  
header("Content-Length: $size");
header("Content-Disposition: attachment; filename=$shortname");
header("Content-Transfer-Encoding: binary");
//start transfer
    $dbh=mysql_connect ("localhost", "xxxxxx", "xxxxxx") or die ('I cannot connect to the database.');
    mysql_select_db ("xxxxxxx");
$SQL = "SELECT * FROM download_users where username='".$_COOKIE['username']."'";
        $result = @mysql_query($SQL) or die(mysql_error());
    while($row = @mysql_fetch_array($result)) {
    $status = $row['status'];
    $email = $row['email'];
    }
if(($status == "Public")&&($_REQUEST['area'] == "private")){
echo "<strong>Error:</strong>
You are not allowed to access this file.<br>
An E-mail has been sent to the admin informing him of this.
If you try to get into files you aren't allowed to access again your account will be terminated";
$message = "".$_COOKIE['username']." has attempted to download files from the private area.
$file
Its up to you what you want to do now";

$sender = "webmaster@ewewrestling.com";


mail("$sender", "EWE Downloads Error", $message,
     "From: $email\r\n"
    ."Reply-To: $sender\r\n"
    ."X-Mailer: PHP/" . phpversion());
}else{
$handler=fopen("$file","r");
fpassthru($handler);


    $date = date("l, d F Y h:i a");
        $SQL = "INSERT INTO downloads
  (filename,size,username,date) VALUES('$shortname','$size','$username','$date')";
          $result = @mysql_query($SQL) or die(mysql_error());
exit;
}
}else{
echo "<strong>Error:</strong>
File Does Not Exist<br>
An e-mail has been sent to the admin informing him of this.";
$message = "".$_COOKIE['username']." has attempted to download files from the download section that don't exist.
$file
Its up to you what you want to do now";

$sender = "webmaster@ewewrestling.com";


mail("$sender", "EWE Downloads Error", $message,
     "From: $email\r\n"
    ."Reply-To: $sender\r\n"
    ."X-Mailer: PHP/" . phpversion());

}
}


any improvments anyone can see that can be done to it, or anything that can make the code itself shorter?

[LordShryku]

Well, I'll give it a good looking over tomorrow, the first two things that stick out to me are:

1) The indention is whacked. Could use some fixing.
2) On your insert statement, you're putting in $username, which up to this point has been reffered to as $_COOKIE['username']. I don't see it ever being defined to $username. Of course, maybe I'm just missing it.

[Skull]

PHP Code:

if($_COOKIE['username'] == "")
    {
        header("Location: login.php");
    }else
        {
            $file = $_REQUEST['type']."/".$_REQUEST['area']."/".$_REQUEST['filename'];
        
            if(file_exists($file))
                {
                    $shortname=basename($file);  
                    $size=filesize($file);  
                    
                    //set header
                    header("Content-Type: application/save");   
                    header("Content-Length: $size");  
                    header("Content-Disposition: attachment; filename=$shortname");  
                    header("Content-Transfer-Encoding: binary");  
                    
                    //start transfer
                    $dbh=mysql_connect ("localhost", "xxxxxx", "xxxxxx") or die ('I cannot connect to the database.');
                    mysql_select_db ("xxxxxxx");
                    
                    $SQL = "SELECT * FROM download_users where username='".$_COOKIE['username']."'";
                    $result = @mysql_query($SQL) or die(mysql_error());
                    while($row = @mysql_fetch_array($result))
                        {  
                            $status = $row['status'];
                            $email = $row['email'];
                        }
                        
                    if(($status == "Public")&&($_REQUEST['area'] == "private"))
                        {
                            echo "<strong>Error:</strong>
                            You are not allowed to access this file.<br>
                            An E-mail has been sent to the admin informing him of this.
                            If you try to get into files you aren't allowed to access again your account will be terminated";
                            $message = "".$_COOKIE['username']." has attempted to download files from the private area.
                            $file  
                            Its up to you what you want to do now";
                    
                            $sender = "webmaster@ewewrestling.com";
                    
                    
                            mail("$sender", "EWE Downloads Error", $message,
                            "From: $email\r\n"
                            ."Reply-To: $sender\r\n"
                            ."X-Mailer: PHP/" . phpversion());
                            }
                        else
                            {
                                $handler=fopen("$file","r");  
                                fpassthru($handler);  
                            
                            
                                $date = date("l, d F Y h:i a");
                                $SQL = "INSERT INTO downloads
                                (filename,size,username,date) VALUES('$shortname','$size',".$_COOKIE['username'].",'$date')";
                                $result = @mysql_query($SQL) or die(mysql_error());
                                exit;
                            }
                }else
                    {
                        echo "<strong>Error:</strong>
                        File Does Not Exist<br>
                        An e-mail has been sent to the admin informing him of this.";
                        $message = "".$_COOKIE['username']." has attempted to download files from the download section that don't exist.
                        $file
                        Its up to you what you want to do now";
                    
                        $sender = "webmaster@ewewrestling.com";
                    
                    
                        mail("$sender", "EWE Downloads Error", $message,
                         "From: $email\r\n"
                        ."Reply-To: $sender\r\n"
                        ."X-Mailer: PHP/" . phpversion());
                    
                    }  
        }


i'm not the best at indenting but I fixed it up a little

[Jedi Legend]

It's basically pointless to have login with that code. I could download from your site without registering. All I would need is to fake a cookie named username. I've never faked a cookie before, but back when I was writing a security system using cookies back in the day, I was told it's pretty easy.

In fact, I could even put someone else's username in there.

[Skull]

so how can I get around that then? Sessions?

[Tristan Wells]

Quote:

Originally posted by Skull
so how can I get around that then? Sessions?

Still just as risky. Sessions which aren't secured can be hacked mearly by adding the session id onto the url. And secured sessions wont work in AOL.

[pjleonhardt]

for added security you might want to hold an md5() password in a cookie, and check that against the database as well.