Home/ Questions/Q 7672441
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T16:17:10+00:00

I have a code like this: $myvar=$_GET[‘var’]; // a bunch of code without any

  • 0

I have a code like this:

$myvar=$_GET['var'];

// a bunch of code without any connection to DB where $myvar is used like this:

$local_directory=dirname(__FILE__).'/images/'.$myvar;
if ($myvar && $handle = opendir($local_directory)) {
    $i=0; 
    while (false !== ($entry = readdir($handle))) {
        if(strstr($entry, 'sample_'.$language.'-'.$type)) {
            $result[$i]=$entry;
            $i++;
        }
    } 
    closedir($handle);
} else {
    echo 'error';
}

I’m a little confused with a number of stripping and escaping functions, so the question is, what do i need to do with $myvar for this code to be safe? In my case i don’t make any database connections.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You are trying to prevent directory traversal attacks, so you don’t want the person putting in ./../../../ or something, hoping to read out files or filenames, depending on what you are doing.

    I often using something like this:

    $myvar =  preg_replace("/[^a-zA-Z0-9-]/","",$_GET['var']);

    This replaces anything that isn’t a-zA-Z0-9- with a blank, so if the variable contains say, *, this code would delete that.

    I then change the a-zA-Z0-9- to match which characters I want to be allowed in the string. I can then lock it down to only containing numbers or whatever I need.

    • 0