<?php // uncomment these to see what happens in different situations. // note that this only handles file security; it DOES NOT stop me from reading your files, or vice-versa. $_GET = ['user' => '__adrian', 'file' => 'foo.txt']; //$_GET = ['user' => '__adrian', 'file' => 'remote-file-inclusion.exe']; //$_GET = ['user' => 'UnicornTek', 'file' => 'filesystems-tutorial.pdf']; //$_GET = ['user' => 'UnicornTek', 'file' => 'bar.txt']; $allowed_files = [ '__adrian' => [ 'foo.txt', 'bar.png' ], 'UnicornTek' => [ 'filesystems-turoial.pdf', 'remote-file-inclusion.exe' ] ]; if (! isset($allowed_files[$_GET['user']]) || ! in_array($_GET['file'], $allowed_files[$_GET['user']])) { throw new Exception("File Not Found: {$_GET['user']}/{$_GET['file']}"); } readfile("/path/to/users/{$_GET['user']}/{$_GET['file']}");
You have javascript disabled. You will not be able to edit any code.