Restrict PHP scripts from accessing higher directories

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
colin22
Forum Newbie
Posts: 1
Joined: Fri Jul 23, 2010 9:26 am

Restrict PHP scripts from accessing higher directories

Post by colin22 »

I have a folder, lets call it /www/

Within that folder I have a bunch of sub directories

/www/user1/
/www/user2/
/www/user3/
ect..

Users can upload php files to their directory if they want, but there is nothing to stop a script in /www/user1/ from accessing files in /www/user2/

Theoretically, users could modify or delete another users files. I could disable the modify/delete functions, but it not a very good solution. Is there a way to restrict a php script to only accessing files within its own directory or subdirectories?
André D
Forum Commoner
Posts: 55
Joined: Thu Aug 28, 2008 7:03 pm

Re: Restrict PHP scripts from accessing higher directories

Post by André D »

You can use realpath() to make sure the actual path you're working in is what you expect it to be. See this thread: viewtopic.php?f=34&t=116002
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Restrict PHP scripts from accessing higher directories

Post by kaisellgren »

Are you establishing a shared hosting server? If so, then take a look at suPHP.
Post Reply