[nycphp-talk] Bullet proofing "rmdir" command
Analysis & Solutions
danielc at analysisandsolutions.com
Tue Aug 12 11:11:13 EDT 2003
Hey Jeff:
On Tue, Aug 12, 2003 at 10:28:57AM -0400, Jeff wrote:
> Just to expand a bit, I use a constant for the full path:
If you're using a constant for the path, then all you need to do is make
sure the user input subdirectory name matches an expected pattern. So,
for example, check to see that $sSubDir has only letters and numbers in
it. This keeps a jerk from putting in dots and/or slashes to move to
undesirable locations. This doesn't obviate the need for is_dir() and
file_exists() checks, though.
I guess one hitch with all of the approaches discussed so far is they seem
to be able to allow one users to delete another user's photos. Thus, you
might want to include some unique user id in the file/directory naming
convention.
... snipitty, snip, snip, because, friends don't let friends waste
disk space or bandwidth...
--Dan
--
FREE scripts that make web and database programming easier
http://www.analysisandsolutions.com/software/
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list