[Previous] [TOC] [Next]
Using Relative Paths for File Access
Usually, files are opened (or searched) relative to the path of the document. If you are using PHP as an ISAPI module under Windows, the location of
php5ts.dll may be relevant. To be sure that you are searching to the current scripts' path, you can use a two-step approach:
Determining Directory Name and Filename
$directory = dirname(__FILE__);
$filename = basename(__FILE__);
print "This script is called $filename and resides
To use a relative path, you can now call
dirname(__FILE__) and then attach the relative path, taking into consideration the directory separator character, which is
/ on UNIX/Linux,
\on Windows, and
: on Mac OS X. Usually,
/ works fine on most systems, but you should note the requirements of the system on which you want to host your site.
The sister function to
basename(); this one determines the filename portion of a path.
The listing at the beginning of This uses both
__FILE__ to determine information about the current path: directory and filename. Figure shows the script's output.
Detecting the script's name and its directory.
Avoiding Security Traps with File Access
One very important point: If you are using files with PHP, avoid retrieving the filename from external sources, such as user input or cookies. This might allow users to inject dangerous code in your website or force you to load files you did not want to open. Some so-called security experts had a self-programmed content management system that created uniform resource locators (URLs) like this:
index.php?page=subpage.html. This just loaded the page
subpage.html into some kind of page template and sent this to the browser. But what if the following URL is called:
index.php?page=../../../etc/passwd? With some luck (or bad luck, depending on your point of view), the contents of the file
/etc/passwd are printed out in the browser. This kind of attacka so-called directory traversal attackis quite common on the Web. How-ever, you can avoid becoming a victim in several ways:
If possible, do not use dynamic data in filenames.
If you have to use dynamic data in filenames, use
basename() to determine the actual name of the file, omitting the path information.
open_basedir. This expects a list of directories where PHP may access files. PHP checks the basedir rules whenever a file is opened, and refuses to do so if it isn't in the appropriate path.
include_path to a directory you put all to-be-used files into and set the third parameter to
TRue, using the
[Previous] [TOC] [Next]