eddy556 Posted July 13, 2007 Share Posted July 13, 2007 I;ve got a bit of a problem with the way I have created a PHP script in terms of security. I have a server which serves media files from any of the folders A-Z. These are accessed through the index.htm page with has a variable passed to in in the URL. This variable is related to the folder name...so for example if the user wants to access the files in folder F they click a link which sends the variable F to index.htm which then searches for that folder and displays its contents. However I realised that carefully crafting the URL it is possible to access any folder (for example guessing a name or using ..) My question is how can I prevent this? Thanks Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted July 13, 2007 Share Posted July 13, 2007 place folders you don't mind being searched into a dir of its own. in your script hardcode that folder as the first part of the path and remove any '../' from the path passed in the url. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.