|
|
Posted by techusky on 08/06/07 19:59
On Aug 6, 12:53 pm, Evan Charlton <e...@evancharlton.com> wrote:
> techu...@gmail.com wrote:
>
> > Now, I realize this is NOT a secure directory listing, because someone
> > could simply append "/.." to the url and keep moving up directories
> > even if they are out of the realm of the web server. Is there an
> > *easy* way to "lock" this script from going up a directory from where
> > the script is stored? In other words, I want users to be able to
> > navigate DOWN in whatever directories may exist, but not UP *past* the
> > directory in which the script is located.
>
> A simple way to check would be to replace any "." (and associated HTML
> codes so it can't be 'fooled') in the URL before parsing so that they
> have no effect. I believe this would be secure; anyone see any holes in
> the logic?
>
> - Evan Charlton
I discovered the "stristr()" function, and it seems to do the trick.
So here is what I have that seems to work great:
// Do not allow the use of ?nav=..
$badKarma = '..';
if (stristr($nav, $badKarma))
{
echo 'May you receive bad karma for trying to go where you should
not.';
break;
}
[Back to original message]
|