[nycphp-talk] Bullet proofing "rmdir" command

Analysis & Solutions danielc at
Tue Aug 12 11:11:13 EDT 2003

Hey Jeff:

On Tue, Aug 12, 2003 at 10:28:57AM -0400, Jeff wrote:
> Just to expand a bit, I use a constant for the full path:

If you're using a constant for the path, then all you need to do is make
sure the user input subdirectory name matches an expected pattern.  So,
for example, check to see that $sSubDir has only letters and numbers in
it.  This keeps a jerk from putting in dots and/or slashes to move to 
undesirable locations.  This doesn't obviate the need for is_dir() and 
file_exists() checks, though.

I guess one hitch with all of the approaches discussed so far is they seem 
to be able to allow one users to delete another user's photos.  Thus, you 
might want to include some unique user id in the file/directory naming 

... snipitty, snip, snip, because, friends don't let friends waste 
disk space or bandwidth...


     FREE scripts that make web and database programming easier
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409

More information about the talk mailing list