2012-11-09 118 views
0

我在寫一個基本的許可證驗證的PHP下載腳本。目標文件大約50MB,適用於某些文件。其他人無法完成它,有時會重試它。PHP文件下載站點

下面是腳本:

$method = $_GET['method']; 
    if($method == "webdownload") { 
     $airlineid = $_GET['airline']; 

     $sql = "SELECT * FROM airlines WHERE airlineid='$airlineid'"; 
     $result = mysql_query($sql) or die(mysql_error()); 
     $row = mysql_fetch_array($result); 
     if($row['licensekey'] == "") 
      die("Invalid airline id"); 

     $filename = $row['code'].'_installer.exe'; 
     $file_path = '../resources/application/files/'.$row['airlineid'].'/'.$row['clientversion'].'/application_installer.exe'; 
     if($row['licensestate'] != "OK") 
      die("The license associated with this downloaded has been deauthorized."); 

     if(!is_file($file_path)) 
      die("The file associated with this version for this airline appears to be invalid."); 
     //download code here - it runs once only, if refreshed it will not allow it.     

     header('Content-type: application/exe'); 
     header("Content-Disposition: attachment; filename=".$filename); 
     header("Content-Length: ".filesize($file_path)); 
     header("Content-Transfer-Encoding: binary");  

     header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); 
     header('Pragma: public'); 

     //header('X-Sendfile: '.$file_path); I tried this - it had no effect and I want the portability. 

     $file = @fopen($file_path,"rb"); 
     while(!feof($file)) {   
      $buffer = fread($file, 1024 * 8); 
      print($buffer); 
      flush();    
     } 
     close($file);  
    } 

編輯:經諮詢,我發現劇本,等等,是很容易受到SQL注入。我用這個函數替換了直接變量SQL表達式:

 function secure_string($raw) { 
    $sid = strtolower($raw); 
    $sid = str_replace("'","_SINGLE_QUOTE", $sid); 
    $sid = str_replace('"','_DOUBLE_QUOTE', $sid); 


    $cmd[0] = "insert"; 
    $cmd[1] = "select"; 
    $cmd[2] = "union"; 
    $cmd[3] = "delete"; 
    $cmd[4] = "modify"; 
    $cmd[5] = "replace"; 
    $cmd[6] = "update"; 
    $cmd[7] = "create"; 
    $cmd[8] = "alter"; 


    for($index = 0; $index <= 8; $index++) { 
     $sid = str_replace($cmd[$index],"_SQL_COMMAND", $sid); 
    } 

    return $sid;   
} 

這足以阻止SQL注入嗎?

EDIT2:我已經使用這個函數與PDO準備函數一起消除這個漏洞。感謝100x讓我學到這一課而不會造成災難性的結果。

+2

快速問題,當我輸入''或1 = 1'作爲航空公司查詢字符串參數時會發生什麼? – acqu13sce

+0

立即,沒有。但是,我查了一下,當使用'或'1'='1(因爲它寫在那裏)作爲參數時,它下載了列表中的第一個文件。我有一個小心臟病發作。我想我明天會花費我的SQL注入漏洞。好,趕快,謝謝。 –

+0

從我的示例sql注入結束時,我錯過了'--',當時我注意到我無法編輯我的評論。我建議你看看PDO和參數化查詢,以此作爲防止此類攻擊的簡單方法 – acqu13sce

回答

0

readfile()是一個將整個文件一次放入緩衝區的函數。可能會阻止PHP超時。用它代替底部的fopen()print()循環。

另一種解決方案是看看你的服務器是否有mod_x_sendfile,因爲這需要從PHP下載並進入apache內部。

編輯:我注意到你說你已經嘗試過sendfile。如果你能得到它的工作可能是一個更好的選擇。