JustinsLorel Posted February 5, 2015 Share Posted February 5, 2015 Hey guys, i have created a php file which takes two parameters: a subdirectory path a file extension it then echos the complete path pf (glob()) all the files with that extension in the searching folder. I wanted to know the security issues involved with this and how i might use escape methods to make sure someone can't move up the directory listing and get other filename. Are there any other concerns i should have? No data is coming or going to a database however there are other php files on the server which communicate with mySQL. Thanks alot! Quote Link to comment https://forums.phpfreaks.com/topic/294400-tips-regarding-security-issues-involved-with-listing-filenames-in-php/ Share on other sites More sharing options...
ginerjm Posted February 5, 2015 Share Posted February 5, 2015 Personally I would never give someone that kind of open access. If your task is to allow a user to bro(wse 'some' files that you have, I would put them in a set of folder(s) and use my own code to search them for whatever extension the user provides. That way he/she cannot browse anywhere else. You could also provide a dropdown list of folders to be checked, but let your script verify that the folder they select is one of the ones you expect by comparing the one chosen to a list that you store in your script or in a db. Quote Link to comment https://forums.phpfreaks.com/topic/294400-tips-regarding-security-issues-involved-with-listing-filenames-in-php/#findComment-1505007 Share on other sites More sharing options...
NotionCommotion Posted February 6, 2015 Share Posted February 6, 2015 Ginerjm, I don't think the OP is asking for total access, only access to files/directories in a given directory. I expect the server code will define a base directory such as /some/directory/to/locate/user/files/ Then you are given a user input such as some/specific/directory. Would just removing all periods do the trick? This would prevent a directory named bla.bla, so maybe just two periods or a period next to a forward slash? Quote Link to comment https://forums.phpfreaks.com/topic/294400-tips-regarding-security-issues-involved-with-listing-filenames-in-php/#findComment-1505051 Share on other sites More sharing options...
JustinsLorel Posted February 6, 2015 Author Share Posted February 6, 2015 So from what i understand i should hard code part of the Url into my php form limiting the user to that scope. Would it make sense to have an if statement ignore '..' and '...' input? Quote Link to comment https://forums.phpfreaks.com/topic/294400-tips-regarding-security-issues-involved-with-listing-filenames-in-php/#findComment-1505072 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.