Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

relating a folder and files under it with a logged in user.

Status
Not open for further replies.
rakeshou

rakeshou

Programmer
Aug 15, 2006
17
US
Hi all,

I am working on an online system where when the user logs on to the system a session is created, they view their folders and their uploaded files under a folder.

I am using query strings to display the list of files in a particular folder.

but the problem is, any one can change the query string value and access someone else's folder.

How can i prevent this from happening,
also please let me know what should i when the system checks for the presence of username and password entered by a user in the databse other than creating session....


help of any kind will deeply be appreciated.
 
Sort by date Sort by votes
To answer your folder question:

Limit the characters that can be used in the query string value. Since you didn't show any code, I can assume you used CGI.

Code: 
use CGI;
my $cgi = new CGI;

# get the folder= from query string
my $folder = $cgi->param ('folder');

# don't allow any characters that aren't
# letters, numbers, dots, or spaces.
$folder =~ s/[^A-Za-z0-9\. ]//ig;

If you remote certain characters from the query string value, you eliminate the possibility of seeing folders you're not allowed to see... i.e. in this request:

Code: 
[URL unfurl="true"]http://.../file.cgi?folder=../another_user/folder[/URL]

They're using "../" (up one directory) in the query string to get a level higher than they should and view any other user's folders. They could do the same thing to view any folder on your entire website, and sometimes, any folder on the whole server (even places that aren't public web places, such as operating system files and htpasswd files)

With that code, you allow folder names to have letters, numbers, dots, and spaces, but nothing else. So when they try something clever like "../" it removes the / and foils their attempts to circumvent your server.

This is a simple solution though. You may want /'s to be allowed to allow them to view sub-folders too, so in that case you'd want to limit double dots .. and not allow the value to begin with a /.

< regular expressions tutorial
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ss_ham
  • Locked
  • Question
in Perl find call looking to exclude folder and ignore duplicate finds.
Replies
2
Views
212
ss_ham
ss_ham
rob54321
  • Locked
  • Question
Perl how to read line from file with interpolation 1
Replies
6
Views
378
rob54321
rob54321
Limbomusic
  • Locked
  • Question
Perl files getting accessed directly
Replies
0
Views
181
Limbomusic
Limbomusic
Dino_1000
  • Locked
  • Question
Use the perl debugger to dump all the data in a string variable
Replies
0
Views
164
Dino_1000
Dino_1000
newbie1238585
  • Locked
  • Question
Perl how to read string in csv file * as wildcard operator
Replies
2
Views
219
mikrom
mikrom

Part and Inventory Search

Sponsor

Back
Top