Hello,
I have a query string like this
http://server/download.php?fname=name_of_remote_file. The script runs and displays a
file download dialog box.
Is there a way of validating the querystring to ensure that a user doesn't try
something like fname=. or fname=.. or fname=? or fname=/, which
you could try doing
$realfilename = realpath($fname);
if (strpos($realfilename, $the_valid_path_to_my_file_directory) !== 0)
{
// bad file name, like /etc/passwd
}
elseif (is_dir($realfilename))
{
// bad user looking at directory
}
On Thu, 12 Dec 2002, Dara Dowd wrote:
Hello,
2 matches
Mail list logo