Scan a folder

[Matpatnik]

Hi guys, I'm looking for a function that will look through a folder. What I mean by that is it will look at every name of the file in that perticular folder.I want to do a scan of all the file in that particular folder and match it with a variable. I want to use something like this to secure a $_GET variable that will include a specific file and i don't want anyone able to inject stuff in it. Is there a better way of doing that or i'm in the right path?the code can look like this: include "path/" . $_GET['var'] . ".php";I think by matching the $_GET variable before it go throu that code will make it very secure isn't?Thank you for your help

[sajan]

I am not sure about scanning inside a folder.But this will help to filter out unwanted stuff from $_GET or $_POST (these are global arrays).

$pattern=array("abc","def");//create an array with allwable pattern.$var=$_GET['var'];if (in_array($var, $pattern))// search $pattern for matching content of $var {	do the processing here.}else{// unwanted content}

This code allow only the pattern specified in the array.So XSS attack can be avoided.

[Mr_CHISOL]

The code sajan posted is secure, but I think it's too secure.With that code you need to make sure that every enty/file is allowed, which make things complicated when you add new files to the dir. A better way (in my opinion) is to disallow sertain entries.Here's a code that I would use (I use variants of it...) (incuding dir.scanning):

	// Get the file to look for, and set the dir to look in	$file = $_GET['file'];	$dir = 'path/';	// Files or dirs that is "disallowed"	$banned = array( );	// Remove '..' ("go up", which means that we don't allow it to look in parent dirs etc.)	$file = str_replace( '..', '', $file );	// Uncomment this to disallow subdirs	//$file = str_replace( '/', '', str_replace( '\\', '', $file ) );	// If the dir to look in exists/is a dir.	if (is_dir($dir)) {		// Open a "handle"		if ($dh = opendir($dir)) {			// go thru the contents of the dir (until there's no more files/dirs)			while (($entry = readdir($dh)) !== false) {				// Check if the entry is ., .., a hidden file or dir or a banned file/dir				if (($entry[0] == '.') || (in_array( $entry, $banned )) {					// Not allowed..				// Check if the entry matches				} else if ($entry == $file) {					// It's an dir...					if (is_dir( $dir . $entry )) {						// Do something or ignore					// It's a file					} else {						// Do something					}				}			}			// Close...			closedir($dh);		}	}

Ok, that can perhaps be written better, but you should get the idea...

[Matpatnik]

ok if I use the opendir() and while(array(readdir())) can I use the same code of sajan?

The code sajan posted is secure, but I think it's too secure.

I don't think a website can be too secure unless it restric your will later on.if I can, I will mix your 2 code together.

[Mr_CHISOL]

OFF-TOPIC (partly due to a missread sentence)::It can actually be too secure, it can be so secure that you can't or it's very hard to use it.You know that the most secure computer has these properties:It's placed in a bunker with (~)3 feet, amered, concrete walls, with no entries, just a small vent a power connection.no screen, no keyboard, no mouse, no network interface etc. (I think they call it a "blackbox setup", or something like that)That would be the worlds most secure compute, BUT you can't use it, so it's too secure.The same can happen in most other "sections" (buildings, software etc).::If you want to use what sajan proposed, fine, I guess that suites you, but I still think it's to restrictive/secure and will be hard to "administrate".The reason to why I think it's overkill: you need to allow every file that's put in the directory (either using a hardcoded array, or via DB), that means that if you have 42+ (!) files in the dir. you need 42+ posts in an array or table and that's not something that is "easily managed", it gets worse when you get to 100+ and perhaps 1000+.How I would do it:I would set up a dir with the files, that either just me is allowed to add files to, and/or be very carefull when given other that permission.I would use the script that I posted before (or a version of it).I would perhaps add password protection on access/download.I would also make sure that the only way to get to those files is via my script.I would keep a close look on the files in the dir (espacially if I allow others to add files).there's perhaps more things that I would do, but I would use the allow->disallow method instead of disallow->allow.

[KoviRobi]

I have been working on the same problem because iam making a web file manager so i will insert the content of my find.php withoutthe links

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><?phpif(@$_REQUEST['what']) { $list = find("."); function find($dr){  $list[] = "";  $dir = opendir($dr);  while(($file = readdir($dir)) !== false)  {   if($file != ".ftpquota" and $file != "." and $file != "..")   {    if(is_dir("$dr/$file"))    {     if((strpos($file,@$_REQUEST['what'])) !== false) {      echo("$file<br />\n");    }	 /* scan in subfolders 	 could be made with url get like:	 if($_GET['subf'] == true){	  find("$dr/$file");	 }	 */     find("$dr/$file");    }    else    {	 //ext is the extension of the file, you could use it later on     $ext = explode('.',$file);     $ext = $ext[count($ext)-1];     if((strpos($file,@$_REQUEST['what'])) !== false) {      echo("$file<br />\n");       }    }   }  }  unset($list[0]);  closedir($dir); }}else{//write the search field//if you want to make the subfolder scan you should add a checkbox?><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Untitled Document</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /></head><body bgcolor="#8AA9E5"><input name="search" type="text" onFocus="if(this.value=='Enter search terms') this.value=''" value="Enter search terms" /></body><?php}?></html>