PHP strpos function conflicts with "../" file directory system

Question

I've created a file directory system. here there is a function to make the directories and I want to prevent users making directories in ../ ie up one folder therefore I've created an if statement with strpos to search for it. Here's the code:

<div class="FormElement">
  <form method="post">
    <input type="text" name="newFolder" id="newFolder" class="newFolder"/>
    <input type="submit" value="Create">
  </form>

  <?php
    $uniqueUserPath = $_SESSION['userPath'];
    $folderName = $_POST['newFolder'];
    $makeFolder = $uniqueUserPath . "/" . $folderName;
    // mkdir($uniqueUserPath . "/" . $folderName);

    if (strpos($folderName, "../") == true) {
      echo 'there is a slash.';
    } else {
      mkdir($uniqueUserPath . "/" . $folderName);
      echo 'there isnt a slash';
    }
  ?>
</div>

And if you type in there "../" it stil echo's there isn't a slash and more importantly it will start making the directories in a folder outside of the users folder.

Any help would be appreciated kind regards,

can you give me an example please as I don't get how to use it after reading the php documentation :) — Abdullah Haider, Oct 19 '15 at 19:52
There are examples on the manual page http://php.net/manual/en/function.realpath.php — rjdown, Oct 19 '15 at 19:52
`strpos` doesn't return a boolean unless it can't find the needle. So `!== false` is what you want. — Sean Bright, Oct 19 '15 at 19:52
Are the users supposed to only create one subdirectory level instead of e.g. `a/b/c`? In that case [basename](http://docs.php.net/basename) might help. — VolkerK, Oct 19 '15 at 19:53
they should be able to create as many subdirectory levels as they like. but just not "../" ie the ability to create folders outside of their directory upon login — Abdullah Haider, Oct 19 '15 at 19:56

score 1 · Accepted Answer · answered Oct 19 '15 at 19:53

1

strpos($folderName, "../") == true needs to be strpos($folderName, "../") !== false

The reason is because if it finds a match it returns the character index of the match, (e.g. 5) which then gets evaluated to true because 5 == true is true.

It returns boolean false if there is no match so you should be looking for that.

answered Oct 19 '15 at 19:53

drew010

68,777
11
134
162

if i wanted to prevent a user from typing in how would i do that? or at least to escape the string, of course without the mysql function. – Abdullah Haider Oct 19 '15 at 20:04
Check out [`strip_tags`](http://php.net/strip_tags) for that. It will also strip PHP tags. – drew010 Oct 19 '15 at 20:16

PHP strpos function conflicts with "../" file directory system

1 Answers1