I am making a basic PHP source viewer for my blog’s example code folder.

Question

0

Asked: May 23, 20262026-05-23T20:35:08+00:00 2026-05-23T20:35:08+00:00

I am making a basic PHP source viewer for my blog’s example code folder.

0

I am making a basic PHP source viewer for my blog’s example code folder.

<?php

if (isset($_GET['file']))
{
    header('Content-type: text/plain');
    $filename = realpath($_GET['file']);
    if (startsWith($filename, dirname(__FILE__)))
    {
        echo file_get_contents($filename);
    }
}

function startsWith($haystack, $needle)
{
    $length = strlen($needle);
    return (substr($haystack, 0, $length) === $needle);
}

?>

Is what I have here sufficient that it will never allow a file outside the directory in which this script is located, or subdirectories of this script’s directory, to be viewed? I’m guessing there’s a better solution than startsWith too, for checking whether a path is a descendant of a particular directory?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-23T20:35:09+00:00

Editorial Team

2026-05-23T20:35:09+00:00Added an answer on May 23, 2026 at 8:35 pm

It’s going to be safe, yes. The realpath part is what you have to do, and you are doing it. This code does what it’s supposed to just fine.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am making a basic PHP source viewer for my blog’s example code folder.

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply