I have a php script in a folder (I call it the root folder).

Question

0

Asked: May 30, 20262026-05-30T13:36:44+00:00 2026-05-30T13:36:44+00:00

I have a php script in a folder (I call it the root folder).

0

I have a php script in a folder (I call it the root folder). The script can basically list all files in subfolders of this root folder. The user can specify which subfolder should be displayed by using GET-parameters.

script.php?foo

would display the content of

<root folder>/foo/

and
script.php?.bar
would display the content of

<root folder>/.bar/

However, users could also “cheat” and use commands like /.. to display the content of folders they souldn’t be able to see.

For example with

script.php?/../..

the users could get very high in the folder hierarchy.

Do you have an idea how to prevent users of doing “cheats” like this.

For reason of simplicity, let’s say the GET-parameter is stored in $searchStatement.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-30T13:36:45+00:00

Editorial Team

2026-05-30T13:36:45+00:00Added an answer on May 30, 2026 at 1:36 pm

You could use realpath to resolve the relative path to an absolute one and then check if that path begins with your “root” folder’s path:

$absolutePath = realpath(__DIR__ . '/' . trim($searchStatement, '/'));

if (strpos($absolutePath, __DIR__ .'/') !== 0) {
    die('Access denied.');
}

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a php script in a folder (I call it the root folder).

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply