php realpath() returns a blank string

Question

Guided by this post Preventing Directory Traversal in PHP but allowing paths I am trying to prevent directory traversal, but I am experiencing something odd, in the first instance realpath returns a good path

        $fPath = $path.$parent.'/'.$name;
//$name (the user input) in this sample is "fff", $parent is an empty string        

        //make sure user didn't try to traverse backwards on the basepath           
        $basepath = $path;
        $realBase = realpath($basepath);
echo $realBase."<br/>";
//gives: /Users/me/Documents/www/gallery/php_sample/uploadedImages

        $userpath = $fPath;
echo $userpath."<br/>";
//gives: /Users/me/Documents/www/gallery/php_sample/uploadedImages/fff

        $realUserPath = realpath($userpath);
echo $realUserPath."<br/>";
//gives blank (an empty string).

Any idéas on why?

realpath() returns FALSE on failure, e.g. **if the file does not exist.** — AbraCadaver, Apr 02 '15 at 17:52
But... then I must have misunderstood how I am supposed to use it. The whole point is to make sure user is placing the folder that it is trying to create in an allowed place, and not traversing upward in the directory structure. Are you saying I must first create the DIR in the non-allowed place before I can compare the paths to see if it is allowed? — Matt Welander, Apr 02 '15 at 20:11
This only works if the dir exists. To validate/sanitize the user supplied dir you will need some rules and clean it or reject it. — AbraCadaver, Apr 02 '15 at 20:18

score 0 · Accepted Answer · answered Apr 04 '15 at 14:16

0

Like AbraCadaver said in comment, "This only works if the dir exists. To validate/sanitize the user supplied dir you will need some rules and clean it or reject it."

answered Apr 04 '15 at 14:16

Matt Welander

8,234
24
88
138

php realpath() returns a blank string

1 Answers1

Linked