I want to use a fopen with a file name given as a variable php

View Original 

$filename = "members-data_" . date('d-m-Y') . ".csv"; 

// Create a file pointer 
$f = fopen('c:\\temp '"' . $filename . '"'', 'w' );

Answer

Solution:

Because a user input is involved you should check that the resulting path is indeed in the desired directory. This is of course to prevent access to not authorized locations using "path" injection.

I use this function:

function is_file_within_dir($relative_file, $expected_dir, $is_new_file = false)
{
    $fullpath = $expected_dir . '/' . $relative_file;
    $base = realpath($expected_dir);
    if ($is_new_file) {
        $fullpath = dirname($fullpath);
    }
    $filename = realpath($fullpath);
    return (!($filename === false || strncmp($filename, $base, strlen($base)) !== 0)) ? $filename : false;
}

Source
© 2021
E-mail: contact@webdevask.com
Back to top