You could also use the realpath() function...
realpath -- Returns canonicalized absolute pathname
realpath() expands all symbolic links and resolves references to '/./',
'/../' and extra '/' characters in the input path and return the
canonicalized absolute pathname. The resulting path will have no symbolic
link, '/./' or '/../' components.
On Tue, 21 May 2002, Bogdan Stancescu wrote:
> Just to aknowledge that your post is being read: I think that's all you
> have to do - that obviously doesn't necessarily mean I'm also right. :-)
> Jimmy Lantz wrote:
> > Hi,
> > I'm planning on using userinput as a part of path to read (horrific I
> > know :)
> > So to make this userinput a bit more secure I'm thinking to use
> > $path = escapeshellarg($path);
> > $path = str_replace("../","",$path);
> > I'm thinking to use a basedir in a constant something like
> > /usr/home/userdir (this also being set in php.ini)
> > then add the userinput and then append that to the constant and then
> > use opendir() on it.
> > I want to avoid people putting in nice little strings like ../../../etc/
> > Any other pointers?
> > / Jim
> > Security is a state of mind not a sales arguement!
> > *** Secret behind flying=
> > Throw yourself at the ground and miss :-)
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php