Tips regarding security issues involved with listing filenames in php

[JustinsLorel]

Hey guys, i have created a php file which takes two parameters:

a subdirectory path

a file extension

it then echos the complete path pf (glob()) all the files with that extension in the searching folder.

I wanted to know the security issues involved with this and how i might use escape methods to make sure someone can't move up the directory listing and get other filename.

Are there any other concerns i should have?

No data is coming or going to a database however there are other php files on the server which communicate with mySQL.

Thanks alot!

[ginerjm]

Personally I would never give someone that kind of open access. If your task is to allow a user to bro(wse 'some' files that you have, I would put them in a set of folder(s) and use my own code to search them for whatever extension the user provides. That way he/she cannot browse anywhere else. You could also provide a dropdown list of folders to be checked, but let your script verify that the folder they select is one of the ones you expect by comparing the one chosen to a list that you store in your script or in a db.

[NotionCommotion]

Ginerjm,  I don't think the OP is asking for total access, only access to files/directories in a given directory.

 

I expect the server code will define a base directory such as /some/directory/to/locate/user/files/

 

Then you are given a user input such as some/specific/directory.

 

Would just removing all periods do the trick?  This would prevent a directory named bla.bla, so maybe just two periods or a period next to a forward slash?

[JustinsLorel]

So from what i understand i should hard code part of the Url into my php form limiting the user to that scope.

Would it make sense to have an if statement ignore '..' and '...' input?