|
| ||
| Checking for going up a Directory I have been working on flatfile and directory system in PHP and not that I have got the script working I want to make it more secure. What I have is one directory with sub-directorys insided them and insided the subdirectorys are about 20 files each. Forexample: directory/ When the script is working out what directory to open it works like this: directory/$subNum/$filename What I want to be able to do is stop people from going down directorys (../../filename) because this could be a big security risk. What I want to know is if there is a better way than !preg_match('../',$filename). |
| ||
| Re: Checking for going up a Directory I would think that would suffice. Does anyone here think that it would still be a security risk? The only thing I could see still being a problem is that someone could still manually enter the directory URL into their browser for access to the files. |
| ||
| Re: Checking for going up a Directory Don't do that. Put the flat file above the web root. I'm not sure of your hosting environment, but most linux set ups allow you to access files above the web root with your scripts. If there is no way to do that in your situation, then yes, block them with your script since it is already written. But also, change the file perms so only your scripts can access it, and use .htaccess to block access to those files from everybody except your scripts and/or the owner of the files. |
| ||
| Re: Checking for going up a Directory there is a slight problem with that fact that I am making it an open source script |
| ||
| Re: Checking for going up a Directory HI I have benn working with a similiar script and i have solved this security issue doing a 'string replace' to the url: str_replace('..','',$requested_url);It works like a charm. ;) |
| ||
| Re: Checking for going up a Directory If you need to now something about security, read this books: http://eu.wiley.com/WileyCDA/WileyTi...470857447.html or http://www.amazon.co.uk/Architects-G...2831903&sr=8-2 or http://phpsec.org/projects/guide/ |
| All times are GMT -4. The time now is 12:46 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC