I don’t know if there is a way for someone to potentially abuse this.

Question

0

Asked: June 12, 20262026-06-12T16:29:38+00:00 2026-06-12T16:29:38+00:00

I don’t know if there is a way for someone to potentially abuse this.

0

I don’t know if there is a way for someone to potentially abuse this. What is a workaround? I do not want someone to be able to abuse my server by downloading content this way.

There is an option to re-email a shipping label. I basically have it setup so there is no database work besides the preparation of the page. The only other method I can think of is to have the post variable the ID of the row and then pull the file name from there.

So, is it unsafe to have a filename as a post variable (that could potentially be tampered with)?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-12T16:29:39+00:00

Editorial Team

2026-06-12T16:29:39+00:00Added an answer on June 12, 2026 at 4:29 pm

It’s only unsafe if you’re going to do something like readfile() or include() on it.

Using the row ID would be better, but even with this you still need to consider if the user should be allowed to access the file (to avoid random id=1 id=2 id=3 testing).

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I don’t know if there is a way for someone to potentially abuse this.

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply