you could try doing

$realfilename = realpath($fname);
if (strpos($realfilename, $the_valid_path_to_my_file_directory) !== 0)
        // bad file name, like /etc/passwd
elseif (is_dir($realfilename))
        // bad user looking at directory

On Thu, 12 Dec 2002, Dara Dowd wrote:

> Hello,
> I have a query string like this
> http://server/download.php?fname=name_of_remote_file. The script runs and displays a 
>file download dialog box.
> Is there a way of validating the querystring to ensure that a user doesn't try 
>something like fname=. or fname=.. or fname=? or fname=/, which enable the user to 
>see the contents of the remote directory, without resorting to a load of 'if' 
>statements.Are there any other special characters i should be aware of?
> Cheers,Dara
> --
> For the largest free email in Ireland (25MB) &
> File Storage space (20MB), visit
> Powered by Outblaze
> --
> PHP General Mailing List (
> To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to