Please login to see that resource";
$downloadPath = "./";
// File Path & File
Send_File_To_Client($downloadPath.$_GET['file'], $_GET['file']);
die;
}
else {
// Set Variables for query since they're not automatically included
$username = $_SESSION['username'];
$app = "eld";
$table = "users";
$downloadPath = "./";
// Do not echo this out, or use this variable to read files
$unsafe_File_Name = $_GET['file'];
// If there is a file specified, lets try to fetch it
if (isset($_GET['file']) && $unsafe_File_Name != "") {
// first set the file name
$filename = $unsafe_File_Name;
// Set the base path to aviod including bad files
// Get the last element of the array
$escaped_filename = explode("/", $unsafe_File_Name);
// swap contents out
$temp = $escaped_filename[count($escaped_filename) - 1];
// swap contents out
$escaped_filename = $temp;
// unset this one quickly
unset($temp);
// do some additional last minute stripping
$escaped_filename = str_replace('\\', "", $escaped_filename);
$escaped_filename = str_replace('..', "", $escaped_filename);
$escaped_filename = str_replace("'", '', $escaped_filename);
$escaped_filename = str_replace('/', "", $escaped_filename);
// set this so that the filename shows when we send it
$displayName = $escaped_filename;
// this is the full path to the file
$filename = $downloadPath . "/" . $escaped_filename;
// Does the file even exist?
if (!file_exists($filename)) {
//echo "Filename: ".$escaped_filename." "; // For debug only DONT ECHO
// Give this message on why the file doesn't exist
echo "Sorry: " . htmlentities($unsafe_File_Name) . " Does Not Exist Here";
die;
}
// If we got past all of the above
Send_File_To_Client($filename, $displayName);
}
// Display a list of all of the files, nicely organized
else {
?>
