Menu
My PHP script uses $_POST['fileUrl']; to retrieve a file for the user, which I believe poses a security threat because anyone could append "../../" etc to the fileUrl to gain access to other files on my server.
I need to find the best (most secure) way to limit files my script can access to a specific directory. From what I've read setting the open_basedir flag will limit my script's access to the path specified.
script.php
$fileUrl = $_POST['fileUrl'];
$content = chunk_split(base64_encode(file_get_contents($fileUrl)));
.htaccess
php_flag open_basedir "var/www/vhosts/mydomain.com/php_can_only_access_files_in_this_directory/"
Is there a better way to do this? Is this script completely secure from accessing folders outside the open_basedir?
494
asked Dec 20 '25 16:12
If you want to avoid people performing directory traversal attacks by using ../../ in the file name you would be better off calling basename on the user supplied input to strip it down to a filename only.
See https://www.php.net/basename for more details.
It is worth noting that the open_basedir flag only affects functions that check for it, in the past there have been several cases where php functions ignore the open_basedir flag, particularly in extensions such as imagemagick. Hence you should rather rely on secure coding practices and file permissions to restrict access to files.
84
answered Dec 22 '25 10:12
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With