Checking for going up a Directory

Question

Ragnarok 0 Junior Poster in Training

20 Years Ago

I have been working on flatfile and directory system in PHP and not that I have got the script working I want to make it more secure. What I have is one directory with sub-directorys insided them and insided the subdirectorys are about 20 files each.

Forexample:

directory/
  	sub1/
  	sub2/

When the script is working out what directory to open it works like this:

directory/$subNum/$filename

What I want to be able to do is stop people from going down directorys (../../filename) because this could be a big security risk. What I want to know is if there is a better way than !preg_match('../',$filename).

php

5 Contributors
5 Replies
168 Views
4 Years Discussion Span
Latest Post 15 Years Ago Latest Post by Yayo_SK

Dani 4,329 The Queen of DaniWeb

20 Years Ago

I would think that would suffice. Does anyone here think that it would still be a security risk? The only thing I could see still being a problem is that someone could still manually enter the directory URL into their browser for access to the files.

Arizona Web 5 Junior Poster

20 Years Ago

Don't do that. Put the flat file above the web root. I'm not sure of your hosting environment, but most linux set ups allow you to access files above the web root with your scripts.

If there is no way to do that in your situation, then yes, block them with your script since it is already written. But also, change the file perms so only your scripts can access it, and use .htaccess to block access to those files from everybody except your scripts and/or the owner of the files.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Ragnarok 0 Junior Poster in Training · Answer 1 · 2004-06-06T23:05:45+00:00

there is a slight problem with that fact that I am making it an open source script

ciberwing -1 Newbie Poster · Answer 2 · 2009-01-23T03:45:26+00:00

HI
I have benn working with a similiar script and i have solved this security issue doing a 'string replace' to the url:

str_replace('..','',$requested_url);

It works like a charm.

;)

Yayo_SK 0 Newbie Poster · Answer 3 · 2009-01-25T03:22:25+00:00

If you need to now something about security, read this books:

http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470857447.html

or

http://www.amazon.co.uk/Architects-Guide-Security-Step-step/dp/0973862106/ref=sr_1_2?ie=UTF8&s=books&qid=1232831903&sr=8-2

or

http://phpsec.org/projects/guide/