Ad:

PHP Discussion Thread
Unsolved
Views: 6230

May 28th, 2004

Checking for going up a Directory

Expand Post »

I have been working on flatfile and directory system in PHP and not that I have got the script working I want to make it more secure. What I have is one directory with sub-directorys insided them and insided the subdirectorys are about 20 files each.

Forexample:

PHP Syntax (Toggle Plain Text)

directory/
  	sub1/
  	sub2/

When the script is working out what directory to open it works like this:

directory/$subNum/$filename

What I want to be able to do is stop people from going down directorys (../../filename) because this could be a big security risk. What I want to know is if there is a better way than !preg_match('../',$filename).

Similar Threads

Can JAVA create DOS directories? in Java
String Match Comparison in Shell Scripting
Google and PHP in Search Engine Optimization
'can't read from drive c' problem in Storage

Ragnarok

Reputation Points: 10

Solved Threads: 0

Junior Poster in Training

Offline

94 posts
since Mar 2004

Permalink

Jun 5th, 2004

Re: Checking for going up a Directory

I would think that would suffice. Does anyone here think that it would still be a security risk? The only thing I could see still being a problem is that someone could still manually enter the directory URL into their browser for access to the files.

cscgal

Administrator

Staff Writer

Reputation Points: 1422

Solved Threads: 162

The Queen of DaniWeb

Offline

13,645 posts
since Feb 2002

Permalink

Jun 6th, 2004

Re: Checking for going up a Directory

Don't do that. Put the flat file above the web root. I'm not sure of your hosting environment, but most linux set ups allow you to access files above the web root with your scripts.

If there is no way to do that in your situation, then yes, block them with your script since it is already written. But also, change the file perms so only your scripts can access it, and use .htaccess to block access to those files from everybody except your scripts and/or the owner of the files.

Arizona Web

Reputation Points: 16

Solved Threads: 2

Junior Poster

Offline

118 posts
since Jun 2004

Permalink

Jun 6th, 2004

Re: Checking for going up a Directory

there is a slight problem with that fact that I am making it an open source script

Ragnarok

Reputation Points: 10

Solved Threads: 0

Junior Poster in Training

Offline

94 posts
since Mar 2004

Permalink

Jan 22nd, 2009

-1

Re: Checking for going up a Directory

HI
I have benn working with a similiar script and i have solved this security issue doing a 'string replace' to the url:

php Syntax (Toggle Plain Text)
str_replace('..','',$requested_url);
str_replace('..','',$requested_url);

It works like a charm.

ciberwing

Reputation Points: 9

Solved Threads: 0

Newbie Poster

Offline

1 posts
since Jan 2009

Permalink

Jan 24th, 2009

Re: Checking for going up a Directory

If you need to now something about security, read this books:

http://eu.wiley.com/WileyCDA/WileyTi...470857447.html

or

http://www.amazon.co.uk/Architects-G...2831903&sr=8-2

or

http://phpsec.org/projects/guide/

Yayo_SK

Reputation Points: 10

Solved Threads: 1

Newbie Poster

Offline

11 posts
since Jan 2009

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in PHP Forum Timeline: problem

Next Thread in PHP Forum Timeline: HTML to PDF and print

DaniWeb Message

Cancel Changes

User Name
Password