Hello everybody ;)

I have written a kind of css (pre)-processor in PHP, and it uses the GET-method to acces to the file:


<link rel="stylesheet" href="css.php?file=style.css" />



My problem is now, if a user types something like "css.php?file=../index.php", he gets the source codes of every file on my server...

How can I prevent this? Is there a function that checks if a path has directory jumps or have i to use regular expressions?


Member Avatar


Yeah, this is a technique I came across about 5 years ago - I think the author called it dynamic css. It works really well, but it's easy to mess up - and security is a git.

You can place header text in your css files, which if absent (your php files, etc), prevents load. It could be something as innocuous as:

/*=========== CSS FILE ===========*/

OR, probably easier:

You should also check for the existence of the file under the css folder, with file_exists(), remembering to strip any ".." and "/" from the name.

Thank you, very nice tips ;)
I combined both of them.