* Thus wrote Jack: > > What I want to do is have a file (like get.php) which will read the file on > the drive, and then transfer it through to the client on the browser. (ie: > get.php?file=/atcommand.txt ) > > Is there a simple way to do this while reducing security concerns? (Ie: > reading ../../../../../etc/passwd )
This will do the trick: http://php.net/realpath $file = $_GET['file']; /* ../../../etc/passwd */ /* make sure its absolute. */ if ($file{0} != '/') { $file = '/' . $file; /* /../../../etc/passwd */ } $file = realpath($file); /* /etc/passwd */ /* just to be safe make it relative */ $file = substr($file, 1); /* etc/passwd */ /* and prefix your ftp path: */ $thefile = '/path/to/ftp/root/' . $file; Curt -- Quoth the Raven, "Nevermore." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
