Sanitize file path in PHP

Question

Greetings, I\'m hoping to make my tiny program secure so that potential malicious users cannot view sensitive files on the server.

    $path = \"/home/gsmcm         


        

Answer 1

Even if you are using realpath, you should still strip all ".." before using it. Otherwise an attacker can read your servers entire directory structure with brute force, e.g. "valid_folder/../../test_if_this_folder_name_exists/valid_folder" - if the application accepts this path, the attacker knows that the folder exists.