steekyjim Posted October 20, 2008 Share Posted October 20, 2008 Hi, I'm writing a file management script and use the following to define the root directory: $rootDir = 'c:\htdocs\filemanager\uploads'; The 'uploads' folder has several sub-folders in it and I want the user to be able to navigate through them and get directory listings. To view a folder contents the user can go to: http://url/filemanager/index.php?page=displayFolder&folderName=/foldername However my problem is that if people change the folderName to '../' or something like that then it will display things that are above the root directory that I don't want them to see. Is there a way that I can stop them going above the root directory by manipulating the folderName variable? I still need them to be able to navigate up if they are in the subfolders. Thanks in advance, John Link to comment https://forums.phpfreaks.com/topic/129254-folders-stopping-people-doing-too-many-times/ Share on other sites More sharing options...
JonnoTheDev Posted October 20, 2008 Share Posted October 20, 2008 If the root directory name does not exist in the $_GET['folderName'] variable then redirect the user to the root directory using a conditional statement. Link to comment https://forums.phpfreaks.com/topic/129254-folders-stopping-people-doing-too-many-times/#findComment-670139 Share on other sites More sharing options...
discomatt Posted October 20, 2008 Share Posted October 20, 2008 Assuming no folders end with dots, you can simply use... if( strpos('./', $folder) !== FALSE ) die( 'Attempt to go above root folder' ); You could also use realpath() http://php.net/realpath and verify the 'root' path is still there. Link to comment https://forums.phpfreaks.com/topic/129254-folders-stopping-people-doing-too-many-times/#findComment-670147 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.