Micky Hulse wrote: > I am looking for the most secure/efficient way to compare these two > strings: > > /folder1/folder2/folder3/folder4/ > /folder1/folder2/folder3/folder4/file.php > > Basically I am trying to setup as many security features as possible for > a simplistic (home-grown/hand-coded) CMS... > > This appears to work: > > $haystack = '/folder1/folder2/folder3/folder4/someFileName.php'; > $needle = '/folder1/folder2/folder3/folder4/'; > if(substr_count($haystack, $needle) === 1) echo "yea"; > > Before making changes to "someFileName.php" I want to make sure it is > within the allowed path ($needle).
First of all make sure you are sending both strings through realpath (http://php.net/realpath) to remove any symbolic links and relative references. Then you can compare the two strings. The way you're doing it will work but it's probably not very efficient. This is what I use... $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
