you could try doing
$realfilename = realpath($fname);
if (strpos($realfilename, $the_valid_path_to_my_file_directory) !== 0)
// bad file name, like /etc/passwd
// bad user looking at directory
On Thu, 12 Dec 2002, Dara Dowd wrote:
> I have a query string like this
> http://server/download.php?fname=name_of_remote_file. The script runs and displays a
>file download dialog box.
> Is there a way of validating the querystring to ensure that a user doesn't try
>something like fname=. or fname=.. or fname=? or fname=/, which enable the user to
>see the contents of the remote directory, without resorting to a load of 'if'
>statements.Are there any other special characters i should be aware of?
> For the largest free email in Ireland (25MB) &
> File Storage space (20MB), visit http://www.campus.ie
> Powered by Outblaze
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php