Hi,
I'd be grateful for a little help. I have a script which generates invoices as PDF files and stores above just above www level (so they cannot be access directly via a URL).
I would like users to be able to access their own invoices but nobody elses.
My script as it stands is as follows:
<?php
session_start();
if($_SESSION['auth']==false){
header("HTTP/1.0 404 Not Found");
exit();
}
$invoice_id = $_GET['vid'];
$user_id = $_SESSION['userid'];
if (is_numeric ($invoice_id))
{
require(db.php);
$q = $dbh->query(...);
$n = $q->fetchColumn();
if($n==1){
//output pdf
$filename = "../invoices" . $invoice_id . ".pdf";
header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename="invoice.pdf"');
readfile($filename);
}
}I've posted a slimmed down the code here and changed a few variable names for security reasons but essentially its the same as what I'm working with.
The basic codes works. The problem arises when an authorised user calls the file. The PDF file is returned, it is not rendered correctly e.g. you see "%PDF-1.7 3 0 ...". I presume this is because session_start() acts like a header? Is there any way round this.
