Home/ Questions/Q 5935635
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T15:16:58+00:00

Hi We have some php code using the file_get_contents() function, and I understand this

  • 0

Hi
We have some php code using the file_get_contents() function, and I understand this is vulnerable to direcoty traversel attacks. Given the following code:

$mydata=$_GET['thefile'];
$data = file_get_contents ('/var/html'.$file);
echo $data

How can I do some simple input filtering so I can block the posibility that someone might do directory traversel by playing around with my input?

/MR

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You want basename:

    $mydata = basename(realpath($_GET['thefile']));

    Appended to (slight modifications of) your example:

    $file=$_GET['thefile']; 
$mypath='/var/www/';
$location= basename(realpath($mypath.$file));
$data = file_get_contents($location);
echo $data;

    Note… although this does some level of error checking, it does no error handling. I’ll leave that up to you.

    • 0