[nycphp-talk] Bullet proofing "rmdir" command

Jeff jsiegel1 at
Tue Aug 12 12:00:48 EDT 2003


The subdirectory only gets deleted when a user clicks on the "Delete"
link. The code handles the rest. At no time does the user know the name
of the image subdirectory. All they know is that they are deleting a
record. And as an added safety precaution, though I'm using $_GET to
pass values around (like record ID numbers), the url says something like
7fQ== with the latter being base 64 encoded and serialized. 


-----Original Message-----
From: talk-bounces at [mailto:talk-bounces at]
On Behalf Of Analysis & Solutions
Sent: Tuesday, August 12, 2003 10:39 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Bullet proofing "rmdir" command

Hey Jeff:

On Tue, Aug 12, 2003 at 11:30:17AM -0400, Jeff wrote:

> At no time does the user touch the subdir name (that is not
> editable).


So, when you're allowing users to delete directories, what is the input
they're providing?  The name of a subdirectory of under the hash named
dir, which is itself a subdirectory of your graphics directory?  If so, 
great.  Then, as mentioned before, all you need to do is check the user 
input contains only letters and numbers.



... snip ...

     FREE scripts that make web and database programming easier
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409
talk mailing list
talk at

More information about the talk mailing list