Jump to content

Recommended Posts

Hey guys, i have created a php file which takes two parameters:

a subdirectory path

a file extension

it then echos the complete path pf (glob()) all the files with that extension in the searching folder.

I wanted to know the security issues involved with this and how i might use escape methods to make sure someone can't move up the directory listing and get other filename.

Are there any other concerns i should have?

No data is coming or going to a database however there are other php files on the server which communicate with mySQL.

Thanks alot!

Personally I would never give someone that kind of open access. If your task is to allow a user to bro(wse 'some' files that you have, I would put them in a set of folder(s) and use my own code to search them for whatever extension the user provides. That way he/she cannot browse anywhere else. You could also provide a dropdown list of folders to be checked, but let your script verify that the folder they select is one of the ones you expect by comparing the one chosen to a list that you store in your script or in a db.

Ginerjm,  I don't think the OP is asking for total access, only access to files/directories in a given directory.

 

I expect the server code will define a base directory such as /some/directory/to/locate/user/files/

 

Then you are given a user input such as some/specific/directory.

 

Would just removing all periods do the trick?  This would prevent a directory named bla.bla, so maybe just two periods or a period next to a forward slash?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.