Delbono pressed the little lettered thingies in this order...

> maybe one could be
> <?
> $allowed_path  = "/www/sites/mysite/teaching";
> if (substr($file, 0, str_len($allowed_path)) <> $allowed_path )
> {
> die("not allowed!");
> }
> else
> {
> show_source($file);
> }
> ?>

The only foolproof method for restricting access is to strip forward 
slashes.  In the above example, I can change the file to:
And it will be allowed
If you were to do this, however:
$allowed_path = "/www/sites/mysite/teaching";
$file = ereg_replace("/","",$file);
That would block any attempt to trick the server into going into another 

You would have to create separate show_source() calls or separate 
scripts for each directory that you wish to allow, but nobody will ever get 
your /etc/passwd file.

Christopher Ostmo
Meeting cutting edge dynamic
web site needs

For a good time,

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to