Skip to main content
A
Anonymous
March 10, 2011
Question

Issues with downloading files

  • March 10, 2011
  • 2 replies
  • 769 views

HI

I am quite new to all the web development stuff.

I have found these forums very useful, so now i am hoping you guys/girls may be able to help me.

I have created a document storage area within my site, the documents are stored in a database (BLOB format) and all works fine, i can upload and store documents with no problems, but the issue is around the download.

Although it works, i am having problems protecting it.

the download script works by accessing the database based on a document index, the page that contains the document list and indexes is protected, using the restrict access to page server behaviour, it calls the download script using an index variable.

but.. the download script is not protected, when i try to add the same server behaviour the download fails, IE says its trying to downlaod teh script, and that the site can not be found.

without the behaviour if someone knew the name of the php script they could just add the index variable and number and they could download any document

below is the download code, which works fine, i am assuming its because IE tries to start a second session to download the file, so the session variables that the server behaviour uses are not set...

Any suggestions

Thanks

<?php require_once('Connections/connTracker.php'); ?>
<?php
// if id is set then get the file with the id from database

if(isset($_GET['docindex']))
           {$id    = $_GET['docindex'];
           $query = "SELECT document_name, document_type, document_size, document_content " .
           "FROM tracker_documents WHERE document_index = ".$id;
           $result = mysql_query($query) or die('Error, query failed');
           list($name, $type, $size, $content) = mysql_fetch_array($result);
           header("Content-length: $size");
           header("Content-type: $type");
           header("Content-Disposition: attachment; filename=$name");
           echo html_entity_decode ($content);}
exit;
?>

This topic has been closed for replies.

2 replies

A
Anonymous
March 11, 2011

According to your unsanitized variable of URL parameter in your query anyone can enter an injection attack in URL parameter by entering the following URL

www.your-website.com/your_download_page.php?docindex=0'; DROP TABLE tracker_documents; --

By entering that URL a hacker can run a query from your script and dump your database table! They can continue to dump other tables in your database if so inclined. My advice is that you educate yourself on injection attacks.

A
Anonymous
March 11, 2011

Gunter, thank you for your help, buit the server behaviour actually inserts this exact same code, for some reaon when i try to download, the bowser can not deal with it, remove the behaviour and its fine

The shocker

I am well aware of injection attacks...

this was not the sort of help i was looking for.

A
Anonymous
March 11, 2011
I am quite new to all the web development stuff.
I am well aware of injection attacks...

Which is it, dude. Are you quite new or well aware? It's not all about you anyway. Other beginners looking for a download script that come across your post thinking they're obtaining a secure script should be advised that your script is most certainly unsecure.

Günter_Schenk
Günter_Schenk
Inspiring
March 11, 2011

I guess that a simple workaround will suffice:

// if both the URL variable 'id' and the Session Variable 'MM_user_id' are set, then get the file with the id from database, otherwise display a blank page

if (isset($_GET['docindex']) && isset($_SESSION['MM_user_id']))

In addition to this add...

if (!isset($_SESSION)) {

  session_start();

}

...@ line one

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices