On Mon, 28 Aug 2006 09:47:02 +0100, Stut wrote: > Micky Hulse wrote: >> I am looking for the most secure/efficient way to compare these two >> strings: >> >> /folder1/folder2/folder3/folder4/ >> /folder1/folder2/folder3/folder4/file.php >> >> Basically I am trying to setup as many security features as possible for >> a simplistic (home-grown/hand-coded) CMS... >> >> This appears to work: >> >> $haystack = '/folder1/folder2/folder3/folder4/someFileName.php'; >> $needle = '/folder1/folder2/folder3/folder4/'; >> if(substr_count($haystack, $needle) === 1) echo "yea"; >> >> Before making changes to "someFileName.php" I want to make sure it is >> within the allowed path ($needle). > > First of all make sure you are sending both strings through realpath > (http://php.net/realpath) to remove any symbolic links and relative > references. Then you can compare the two strings. The way you're doing > it will work but it's probably not very efficient. This is what I use... > > $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); > Personally, this seems simpler to me: $valid = (dirname($haystack) == $needle); But the way the above folders are presented, it should become $valid = (dirname($haystack) == rtrim($needle, '/')); less simple already... Possibly, this is not the best solution for some reason I don't know. If so, I would like to know :) Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
