Micky Hulse wrote:
> I am looking for the most secure/efficient way to compare these two
> strings:
> 
> /folder1/folder2/folder3/folder4/
> /folder1/folder2/folder3/folder4/file.php
> 
> Basically I am trying to setup as many security features as possible for
> a simplistic (home-grown/hand-coded) CMS...
> 
> This appears to work:
> 
> $haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
> $needle = '/folder1/folder2/folder3/folder4/';
> if(substr_count($haystack, $needle) === 1) echo "yea";
> 
> Before making changes to "someFileName.php" I want to make sure it is
> within the allowed path ($needle).

First of all make sure you are sending both strings through realpath
(http://php.net/realpath) to remove any symbolic links and relative
references. Then you can compare the two strings. The way you're doing
it will work but it's probably not very efficient. This is what I use...

$valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0);

-Stut

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to