steekyjim Posted October 20, 2008 Share Posted October 20, 2008 Hi, I'm writing a file management script and use the following to define the root directory: $rootDir = 'c:\htdocs\filemanager\uploads'; The 'uploads' folder has several sub-folders in it and I want the user to be able to navigate through them and get directory listings. To view a folder contents the user can go to: http://url/filemanager/index.php?page=displayFolder&folderName=/foldername However my problem is that if people change the folderName to '../' or something like that then it will display things that are above the root directory that I don't want them to see. Is there a way that I can stop them going above the root directory by manipulating the folderName variable? I still need them to be able to navigate up if they are in the subfolders. Thanks in advance, John Quote Link to comment https://forums.phpfreaks.com/topic/129254-folders-stopping-people-doing-too-many-times/ Share on other sites More sharing options...
JonnoTheDev Posted October 20, 2008 Share Posted October 20, 2008 If the root directory name does not exist in the $_GET['folderName'] variable then redirect the user to the root directory using a conditional statement. Quote Link to comment https://forums.phpfreaks.com/topic/129254-folders-stopping-people-doing-too-many-times/#findComment-670139 Share on other sites More sharing options...
discomatt Posted October 20, 2008 Share Posted October 20, 2008 Assuming no folders end with dots, you can simply use... if( strpos('./', $folder) !== FALSE ) die( 'Attempt to go above root folder' ); You could also use realpath() http://php.net/realpath and verify the 'root' path is still there. Quote Link to comment https://forums.phpfreaks.com/topic/129254-folders-stopping-people-doing-too-many-times/#findComment-670147 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.