I have a script that uses $_GET to retrieve directory names and appends it to a URL to retrieve files in a folder outside the webroot.
Here is my current code:
<php
$getdir = $_GET['dir'];
$getdoctype = $_GET['doctype'];
$dir = "/var/www/uploads/$getdir/$getdoctype";
$subdir1 = scandir($dir); /* This function sorts dirs */
$list = array_diff($subdir1,array(".","..","index.php"));
echo "<ol>";
foreach ($list as $file)
{
if (!is_dir($file)) echo "<li><a href='https://example.ca/private/download_files.php?dir=$getdir&doctype=$getdoctype&filename=$file'>$file</a></li>
";
}
echo "</ol>";
?>
I understand that using $_GET is very unsecure in this situation so I want to clean my $_GET variables with a preg_match function. I've been given this function from a user on this board and can't seem to get it to work.
Here is my code with the function:
<?php
$getdir = $_GET['dir'];
$getdoctype = $_GET['doctype'];
// CLEANING GET VARIABLES
if (!preg_match('/^[a-zA-Z0-9]+$/', $getdir) || !preg_match('/^[a-zA-Z0-9]+$/', $getdoctype)) {
die('Bad parameter!');
}
$dir = "/var/www/uploads/$getdir/$getdoctype";
$subdir1 = scandir($dir); /* This function sorts dirs */
$list = array_diff($subdir1,array(".","..","index.php"));
echo "<ol>";
foreach ($list as $file)
{
if (!is_dir($file)) echo "<li><a href='https://example.ca/private/download_files.php?dir=$getdir&doctype=$getdoctype&filename=$file'>$file</a></li>
";
}
echo "</ol>";
?>
The get variables can contain spaces in the directory names. Also %20 is an http escape string that can also be accepted. I just don't want hackers getting into my server.
I will also accept alternatives to $_GET in this implementation if you guys have any.
