I have been working on flatfile and directory system in PHP and not that I have got the script working I want to make it more secure. What I have is one directory with sub-directorys insided them and insided the subdirectorys are about 20 files each.

Forexample:

directory/
  	sub1/
  	sub2/

When the script is working out what directory to open it works like this:

directory/$subNum/$filename

What I want to be able to do is stop people from going down directorys (../../filename) because this could be a big security risk. What I want to know is if there is a better way than !preg_match('../',$filename).

I would think that would suffice. Does anyone here think that it would still be a security risk? The only thing I could see still being a problem is that someone could still manually enter the directory URL into their browser for access to the files.

Don't do that. Put the flat file above the web root. I'm not sure of your hosting environment, but most linux set ups allow you to access files above the web root with your scripts.

If there is no way to do that in your situation, then yes, block them with your script since it is already written. But also, change the file perms so only your scripts can access it, and use .htaccess to block access to those files from everybody except your scripts and/or the owner of the files.

there is a slight problem with that fact that I am making it an open source script

HI
I have benn working with a similiar script and i have solved this security issue doing a 'string replace' to the url:

str_replace('..','',$requested_url);

It works like a charm.

;)

Comments
We have a new record, ~5 year bump. Take a drink!
This article has been dead for over six months. Start a new discussion instead.