Gnahzllib
Reputation: 101
creating a download link with PHP
I was reading PHP Solutions and came across these lines of code which confused me, and it would be great if someone could help me figure out the meaning.
// define error page
$error = 'http://localhost/phpsols/error.php';
// define the path to the download folder
$filepath = 'C:/xampp/htdocs/phpsols/images/';
$getfile = NULL;
// block any attempt to explore the filesystem
if (isset($_GET['file']) && basename($_GET['file']) == $_GET['file']) {
$getfile = $_GET['file'];
} else {
header("Location: $error");
exit;
}
On the 7th line of codes, why would basename($_GET['file']) not equal to $_GET['file']?
Upvotes: 1
Views: 74
Answers (2)
Quentin
Reputation: 943097
On the 7th line of codes, why would basename($_GET['file']) not equal to $_GET['file']?
Because $_GET['file'] included path separator characters.
Upvotes: 0
drew010
Reputation: 69927
If someone passed something like http://example.com/file.txt or path/file.txt or ../../../../etc/hosts to $_GET['file'] then the basename would not match.
basename($file) == $file will only be true when a value with no path (just a file name) is given.
Upvotes: 3
Related Questions
- How can I prevent SQL injection in PHP?
- How do you parse and process HTML/XML in PHP?
- How do I make a redirect in PHP?
- Deleting an element from an array in PHP
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- startsWith() and endsWith() functions in PHP
- How does PHP 'foreach' actually work?
- Enumerations on PHP
- How do I get PHP errors to display?
- Why shouldn't I use mysql_* functions in PHP?