mattal999 Posted October 18, 2007 Share Posted October 18, 2007 hi, how would i make it so that the $file variable is not allowed to have ../ or ./ in it? <?php error_reporting(0); session_start(); $user = $_SESSION['userName']; $file = $_POST['file']; $CurDir = dirname(__FILE__); if($_POST['folder'] != '') { $user = $user . '/' . $_POST['folder']; } else { $user = $user; } $NewDir = "$CurDir/$user"; $filepath = $NewDir."/".$file; if (!file_exists($NewDir) && !is_dir($NewDir) ) mkdir($NewDir, 0755); if( is_dir($NewDir) ) { if (is_writable($NewDir)) { if($_POST['folder'] != '') { $folder = $_POST['folder']; } else { $folder = ''; } if (!$handle = fopen($filepath, 'x+')) { echo "<center><font face='verdana' size='2'>The file $file already exists, edit it <a href='writenew.php?file=" . $folder . "" . $file . "' style='border-bottom: dotted #000000 1px; text-decoration: none;'><font color='000000'>here</a>"; exit; } echo "<center><font face='verdana' size='2'>Success, made a new file $file, edit it <a href='writenew.php?file=" . $folder . "" . $file . "' style='border-bottom: dotted #000000 1px; text-decoration: none;'><font color='000000'>here</a>"; fclose($handle); } else { echo "<center><font face='verdana' size='2'>The file $file could not be made"; } } ?> thanks Quote Link to comment Share on other sites More sharing options...
esukf Posted October 18, 2007 Share Posted October 18, 2007 Filter it. <?php $file = $_POST['file']; $bad = array('../', './'); $file = str_replace($bad, "", $file); ?> Quote Link to comment Share on other sites More sharing options...
mattal999 Posted October 18, 2007 Author Share Posted October 18, 2007 cheers Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.