NYCPHP Meetup

[nycphp-talk] Bullet proofing "rmdir" command

Analysis & Solutions danielc at analysisandsolutions.com
Tue Aug 12 11:11:13 EDT 2003


Hey Jeff:

On Tue, Aug 12, 2003 at 10:28:57AM -0400, Jeff wrote:
> Just to expand a bit, I use a constant for the full path:

If you're using a constant for the path, then all you need to do is make
sure the user input subdirectory name matches an expected pattern.  So,
for example, check to see that $sSubDir has only letters and numbers in
it.  This keeps a jerk from putting in dots and/or slashes to move to 
undesirable locations.  This doesn't obviate the need for is_dir() and 
file_exists() checks, though.

I guess one hitch with all of the approaches discussed so far is they seem 
to be able to allow one users to delete another user's photos.  Thus, you 
might want to include some unique user id in the file/directory naming 
convention.

... snipitty, snip, snip, because, friends don't let friends waste 
disk space or bandwidth...

--Dan

-- 
     FREE scripts that make web and database programming easier
           http://www.analysisandsolutions.com/software/
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409



More information about the talk mailing list