How can PHP be used to prevent directory traversal attacks when downloading files?

Directory traversal attacks can be prevented in PHP when downloading files by using the basename() function to extract the filename from the provided path. This function removes any directory information and only returns the base name of the file, preventing attackers from accessing files outside of the intended directory.

$filename = basename($_GET[&#039;file&#039;]);
$filepath = &#039;/path/to/files/&#039; . $filename;

if (file_exists($filepath)) {
    header(&#039;Content-Type: application/octet-stream&#039;);
    header(&#039;Content-Disposition: attachment; filename=&quot;&#039; . $filename . &#039;&quot;&#039;);
    readfile($filepath);
} else {
    echo &#039;File not found&#039;;
}

Keywords

PHP directory traversal attacks file download security measures realpath()

How can PHP be used to prevent directory traversal attacks when downloading files?

Keywords

Related Questions