Re: [PHP] Comparing strings... need advice. :)

Mon, 28 Aug 2006 09:30:08 -0700 

On Mon, 2006-08-28 at 09:47 +0100, Stut wrote:
> Micky Hulse wrote:
> > I am looking for the most secure/efficient way to compare these two
> > strings:
> > 
> > /folder1/folder2/folder3/folder4/
> > /folder1/folder2/folder3/folder4/file.php
> > 
> > Basically I am trying to setup as many security features as possible for
> > a simplistic (home-grown/hand-coded) CMS...
> > 
> > This appears to work:
> > 
> > $haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
> > $needle = '/folder1/folder2/folder3/folder4/';
> > if(substr_count($haystack, $needle) === 1) echo "yea";
> > 
> > Before making changes to "someFileName.php" I want to make sure it is
> > within the allowed path ($needle).
> 
> First of all make sure you are sending both strings through realpath
> (http://php.net/realpath) to remove any symbolic links and relative
> references. Then you can compare the two strings. The way you're doing
> it will work but it's probably not very efficient. This is what I use...
> 
> $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0);

<?php

function isAllowedPath( $needle, $haystack )
{
    $needle   = realpath( $needle ).'/';
    $haystack = realpath( $haystack );

    return (strpos( $haystack, $needle ) === 0);
}

?>

It is VERY important that you append the trailing slash onto the needle
path returned by realpath otherwise it will match more than you expect.
Stut didn't point that out so I thought I'd make sure you caught it.
Also I'm not sure why Stut used 3 function calls when one suffices >:)

Cheers,
Rob.
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to