you could try doing
$realfilename = realpath($fname);
if (strpos($realfilename, $the_valid_path_to_my_file_directory) !== 0)
{
// bad file name, like /etc/passwd
}
elseif (is_dir($realfilename))
{
// bad user looking at directory
}
On Thu, 12 Dec 2002, Dara Dowd wrote:
> Hello,
> I have a query string like this
> http://server/download.php?fname=name_of_remote_file. The script runs and displays a
>file download dialog box.
> Is there a way of validating the querystring to ensure that a user doesn't try
>something like fname=. or fname=.. or fname=? or fname=/, which enable the user to
>see the contents of the remote directory, without resorting to a load of 'if'
>statements.Are there any other special characters i should be aware of?
> Cheers,Dara
>
> --
> For the largest free email in Ireland (25MB) &
> File Storage space (20MB), visit http://www.campus.ie
>
> Powered by Outblaze
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
