[nycphp-talk] Bullet proofing "rmdir" command

Jeff jsiegel1 at
Tue Aug 12 11:30:17 EDT 2003

The subdirectory name should, theoretically, take care of uniqueness.
Here's how I generate the subdir name when someone is uploading pics for
the very first time:

$sTime = microtime();
$iDir = md5($sTime); 

At no time does the user touch the subdir name (that is not
editable). It is generated automatically and stored in the database. The
only time it is visible, however, is on the "public" side of the site
when someone views the images and looks at the html source.


-----Original Message-----
From: talk-bounces at [mailto:talk-bounces at]
On Behalf Of Analysis & Solutions
Sent: Tuesday, August 12, 2003 10:11 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Bullet proofing "rmdir" command

Hey Jeff:

On Tue, Aug 12, 2003 at 10:28:57AM -0400, Jeff wrote:
> Just to expand a bit, I use a constant for the full path:

If you're using a constant for the path, then all you need to do is make
sure the user input subdirectory name matches an expected pattern.  So,
for example, check to see that $sSubDir has only letters and numbers in
it.  This keeps a jerk from putting in dots and/or slashes to move to 
undesirable locations.  This doesn't obviate the need for is_dir() and 
file_exists() checks, though.

I guess one hitch with all of the approaches discussed so far is they
to be able to allow one users to delete another user's photos.  Thus,
might want to include some unique user id in the file/directory naming 

... snipitty, snip, snip, because, friends don't let friends waste 
disk space or bandwidth...


     FREE scripts that make web and database programming easier
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409
talk mailing list
talk at

More information about the talk mailing list