On Thursday 01 November 2001 10:39, Galkov Vladimir wrote: > Need to remove all "../" "/.." from user inputing string to prevent > him walking and creating files&directories where I don't whant see > them/him... > > The string: > > $path = > eregi_replace('([..]{2,})|([./]{2})|([../]{3,})|([/.]{2})|([/..]{3})', > '', $path); > > works good with any combinations ( ../../..qwert.txt => qwert.txt) > untill somth like "/../asd/../qwert.txt" will be entered ... > (/../asd/../qwert.txt => asdqwert.txt). > So the qwestion is how upgrade regular expression to remove all this > correctly (with all entered directory names but NOT assigned their > names to file name...
Here's what I use (take out the parts useful to you): function FixSrcURI ($SrcURI) { // remove script name $SrcURI = preg_replace ('#^/*{{$ Page.Source }}/*#', '', $SrcURI); // remove potentially harmful parts $SrcURI = preg_replace ('#/?\.\./?#', '/', $SrcURI); $SrcURI = preg_replace ('#/\./#', '/', $SrcURI); $SrcURI = preg_replace ('#/\.$#', '/', $SrcURI); $SrcURI = preg_replace ('#/{2,}#', '/', $SrcURI); $SrcURI = preg_replace ('#^/#', '', $SrcURI); if (preg_match ('#(\A|/)\.#', $SrcURI) || preg_match ('#CVS#', $SrcURI)) { pbHTTP_404 (); } if ($SrcURI == '') { return array ($SrcURI, -1, 'src'); } else { $matches = array (); if (preg_match ('#^[^/]+$#', $SrcURI)) { return array ($SrcURI, '', $SrcURI); } elseif (preg_match ('#^(.*)/([^/]*)$#', $SrcURI, $matches)) { return array ($SrcURI, $matches [1], $matches [2]); } else { pbHTTP_404 (); return false; } } } -- Christian Reiniger LGDC Webmaster (http://lgdc.sunsite.dk/) /* you are not expected to understand this */ - from the UNIX V6 kernel source -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]