if($logged_in){ $temp_file = $_GET['filename']; //make sure no one is trying to inject anything funny $temp_file = str_replace('.','',$temp_file); //prevent file path manipulation $temp_file = str_replace('/','',$temp_file); //prevent file path manipulation $temp_file = str_replace('%00','',$temp_file); //prevent null char injector $temp_file = preg_replace('[^A-Za-z0-9]', '', $temp_file ); //just to be sure $file = STORAGE_DIR.$temp_file.'pdf'; if (file_exists(file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='.basename($file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Length: ' . filesize($file)); ob_clean(); flush(); readfile($file); exit; } } else{ header('Location: '.LOGIN_PAGE); exit; }