Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a PHP page that accepts input from a form post, but instead of directing that input to a database it is being used to retrieve a file from the file system. What is a good method for escaping a string destined for the file system rather then a database? Is mysql_real_escape_string() appropriate?
If you’re using user-provided input to specify a filename directory, you’ll have to make sure that the provided filename/path isn’t trying to break “out” of your site’s playground.
e.g. having something like
will send out ANYTHING on your server that the attack knows the path for. Even something like
accomplishes the same, if the user specifies enough ‘../../../’ to get to whatever file they want.
mysql_real_escape_string() is NOT appropriate for this, as you’re not doing a database operation. Use appropriate tools for appropriate jobs. In a goofy way, m_r_e_s() is a banana, and you need a giraffe. Something like
would be relatively save as basename() will extract only the filename portion of the user-provided file, so even if they pass in
../../../../../etc/passwd, basename will return onlypasswd.