The best way to stop people from exploiting that script (especially if it's
just for attachments you want people to download) is just create a directory
specifically for the attachments, and have it coded in your script (ie,
unchangable in the variables)
That way you they can only download files from that directory, which presumably
is full of files for them to download anyway.
Doesn't require any access checking or anything, just lateral thinking.
I think your all going about it the wrong way.
The best way to stop people from exploiting that script (especially if it's just for attachments you want people to download) is just create a directory specifically for the attachments, and have it coded in your script (ie, unchangable in the variables)
That way you they can only download files from that directory, which presumably is full of files for them to download anyway.
Doesn't require any access checking or anything, just lateral thinking.
-ZuuL