Web Security (PHP) - Is it Secure to do downloading files & presenting with Headers to the End User ?

by user1179459   Last Updated October 08, 2018 01:05 AM

I have security question that i am not sure if this approach is safe and secure way to download a file and present to a web user ?

We have customers invoice files stored in a server location (publicly inaccessible location), then we do read them via the PHP code in a file (in public accessible location) like below,

I just wonder, if this way of

  1. presenting files to the enduser is secure enough ?
  2. that end user will not have any knowledge at all, of where the files are stored in the server ?
  3. any other recommendation on how to handle similar situation ?

    $i = $invoice->get();
    $filename = sprintf(INV_PDF_FILENAME,$i['customerid'],date('Ymd',$i['dateIssued']));
    $x = sprintf('/tmp/invoices/%s',$filename);
    header('Content-type: application/pdf');
    header('Content-Disposition: attachment; filename="'.$filename.'"');
    header('Expires: 0');
    header('Pragma: cache');
    header('Cache-Control: private');
    readfile($x);
    


Related Questions


secure automatic payment application via bitcoin

Updated November 02, 2016 09:02 AM

How to secure code of Java web project?

Updated July 22, 2016 08:02 AM


Why are Strings in StringPool considered insecure?

Updated August 01, 2015 14:02 PM