file order problem

knolly · #1 (**permalink**) 06-01-09, 04:06 PM

Having the weirdest problem. I'm using this script:

<?php
$g = array_key_exists ('g', $_GET) ?
$_GET['g'] : p1;
$selected = $g;

//Open images directory
$dir = dir($g);

//List files in images directory
while (($file = $dir->read()) !== false)
{
$ext = substr(strrchr($file, '.'), 1);

if ($ext==jpg)echo "<img src=\"$g/" . $file . "\" alt=\"\" />";
}

$dir->close();
?>

Script works fine and when I upload the images to the server myself they display correctly (in numerical order). But when the owner of the site uploads pictures from her computer they display on the site in backwards order! I have tried everything to make sure she's doing things the same way I am but this keeps happening. Ever heard of this before? What could possibly cause it?

Thanks!

=OTS=G-Man · #2 (**permalink**) 06-02-09, 04:58 AM

One thing I can think of that I've always done when displaying a folder list is to read the folder into an array first then sort the array, then loop through the array for displaying. Hope that helps

Also, watch your code, I don't see any protection on your dir() command, someone could pass anything into the 'g' var in the URL and open any directory on your system.

knolly · #3 (**permalink**) 06-02-09, 02:57 PM

oh, thanks for the tip. how would i protect the dir command? and what harm could they do by opening a directory?

thanks!

=OTS=G-Man · #4 (**permalink**) 06-04-09, 03:43 AM

Ive don a check to see if the realpath() is in the area I allow, using something like

stristr(realpath($_GET['folder']), '/var/www/public/') === FALSE)
{
//exit because they are accessing a folder outside my public area
}

the problem with allowing people to browse your drive is they could then view your personal information or view password files by passing in folders like "./../../etc/" that would then allow them to download anything in that folder. using realpath() will turn that ./../../ into a final path statement, in our case /etc on a linux box

knolly · #5 (**permalink**) 06-08-09, 05:11 AM

Wow, ok, that's really good information, thanks! So I'm really new to this, where exactly would that fit into my bit of code?

job0107 · #6 (**permalink**) 06-08-09, 07:34 AM

Quote:

stristr(realpath($_GET['folder']), '/var/www/public/') === FALSE)
{
//exit because they are accessing a folder outside my public area
}

I believe in the above code, $_GET['folder'] would be your $g.
And '/var/www/public/' would be the realpath of your image folder.

And it should fit into your code, something like this:

PHP Code:


			
<?php
$g = array_key_exists ('g', $_GET) ?
$_GET['g'] : p1;
$selected = $g;

$folder = "see code below";
stristr(realpath($g), $folder) === FALSE)
{
    die("<b>You bad boy, you don't have permission to access that folder.</b>");
}

//Open images directory
$dir = dir($g);

//List files in images directory
while (($file = $dir->read()) !== false)
{
$ext = substr(strrchr($file, '.'), 1);

if ($ext==jpg)echo "<img src=\"$g/" . $file . "\" alt=\"\" />";
}


$dir->close();
?>

And to get the correct path for $folder, you can run this code and then put the results in $folder where "images" is the value you would put in $_GET["g"].

PHP Code:


			
<?php
$g = "images";
echo realpath($g);
?>

knolly · #7 (**permalink**) 06-08-09, 04:38 PM

thanks! that's really helpful