NYCPHP Meetup

[Jeff]

The subdirectory name should, theoretically, take care of uniqueness.
Here's how I generate the subdir name when someone is uploading pics for
the very first time:

$sTime = microtime();
$iDir = md5($sTime); 

At no time does the user touch the subdir name (that is...it is not
editable). It is generated automatically and stored in the database. The
only time it is visible, however, is on the "public" side of the site
when someone views the images and looks at the html source.


Jeff

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Analysis & Solutions
Sent: Tuesday, August 12, 2003 10:11 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Bullet proofing "rmdir" command


Hey Jeff:

On Tue, Aug 12, 2003 at 10:28:57AM -0400, Jeff wrote:
> Just to expand a bit, I use a constant for the full path:

If you're using a constant for the path, then all you need to do is make
sure the user input subdirectory name matches an expected pattern.  So,
for example, check to see that $sSubDir has only letters and numbers in
it.  This keeps a jerk from putting in dots and/or slashes to move to 
undesirable locations.  This doesn't obviate the need for is_dir() and 
file_exists() checks, though.

I guess one hitch with all of the approaches discussed so far is they
seem 
to be able to allow one users to delete another user's photos.  Thus,
you 
might want to include some unique user id in the file/directory naming 
convention.

... snipitty, snip, snip, because, friends don't let friends waste 
disk space or bandwidth...

--Dan

-- 
     FREE scripts that make web and database programming easier
           http://www.analysisandsolutions.com/software/
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409
_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk