0

Hi,

I'd be grateful for a little help. I have a script which generates invoices as PDF files and stores above just above www level (so they cannot be access directly via a URL).

I would like users to be able to access their own invoices but nobody elses.

My script as it stands is as follows:

<?php

session_start();

if($_SESSION['auth']==false){
   header("HTTP/1.0 404 Not Found");
   exit();
}

$invoice_id = $_GET['vid'];
$user_id = $_SESSION['userid'];

if (is_numeric ($invoice_id)) 
{
   require(db.php);

   $q = $dbh->query(...);
   $n = $q->fetchColumn();

   if($n==1){

     //output pdf
     
     $filename = "../invoices" . $invoice_id . ".pdf";

     header('Content-type: application/pdf');
	header('Content-Disposition: attachment; filename="invoice.pdf"');
	readfile($filename);

   }

}

I've posted a slimmed down the code here and changed a few variable names for security reasons but essentially its the same as what I'm working with.

The basic codes works. The problem arises when an authorised user calls the file. The PDF file is returned, it is not rendered correctly e.g. you see "%PDF-1.7 3 0 ...". I presume this is because session_start() acts like a header? Is there any way round this.

3
Contributors
6
Replies
7
Views
8 Years
Discussion Span
Last Post by vincent2085
0

Try

<?php ob_start(); ?>

to turn on output buffering (should be the 1st line of your code) and

<?php ob_flush(); ?>

as the last line to flush the buffered output.

0

Just to clarify, like so?

<?php
ob_start();

// .. all my other code

ob_flush();

?>

If so, no joy :(

0

Hmm.. I tried your code snippet and it worked fine. There is one thing that I'd always do after having a header, an exit. This might or might not fix the problem, but try having an exit after readfile function. :-/

0

ah ha, that does fix it :P.

was appearing not to work due to another error - which I've now fixed - dodgy URL rewrite.

thank you.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.