PHP: prevent folder hacking – if path has ../ in it?

to answer your question:

if(strpos($path,'../') !== false){
  // looks like someone 's trying to hack here - simply
  // do nothing (or send an email-notification to yourself
  // to be informed and see how often this happens)
}else{
  // here comes the magic

}

but: you really shouldn’t do so. if you want an easy solution, use a switch-statement for every possible $path and include the relevant file (or whatever you have to do).

Instead of doing that, you could just call realpath() on it and check if the path it’s supposed to be in is a prefix of that.

Even better, why not keep a whitelist and reject anything not in it?

I’s an alternative solution that allow you to customize the url….

<?php
$arr= array(
  "register" => "register.php",
  "login" => "userlogin.php",
  "admin" => "adminlogin.php",
  "etc" => "otherpage.php",
  );
if ( isset ( $_GET['path'] )    
    if ( array_key_exists( $_GET['path'] , $arr) ){
      //do some stuff... 
      include( $arr[$_GET['path']] );
    }
    else
      echo 'Page Not Found!';          
else
  echo 'Required Field Empty!';       
?>

So calling index.php?path=admin page adminlogin.php will be included….

one of the easier ways is to harden your php.ini config, specifically the open_basedir directive. Keep in mind, some CMS systems do actually use ..\ quite a bit in the code, and when there are includes outside the root folder this can create problems. (i.e. pear modules)

Another method is to use mod_rewrite.

Unless you are using an include file to check each and every URL for injection from $_GET and $_SERVER['request_uri'] variables, you will open doors for this kind of attack. for example, you might protect index.php but not submit.php. This is why hardening php.ini and .htaccess is the preferred method.