What security considerations should be taken into account when displaying files in a directory with PHP?

When displaying files in a directory with PHP, it is important to consider security implications such as preventing unauthorized access to sensitive files, avoiding directory traversal attacks, and ensuring that only allowed file types are displayed. To address these concerns, it is recommended to store the files outside the web root directory, validate user input to prevent directory traversal, and use MIME type validation to restrict the types of files that can be displayed.

&lt;?php
$directory = &quot;/path/to/files/directory/&quot;;

if (isset($_GET[&#039;file&#039;])) {
    $file = basename($_GET[&#039;file&#039;]);
    $filepath = $directory . $file;

    // Validate file path to prevent directory traversal
    if (strpos($filepath, $directory) === 0 &amp;&amp; file_exists($filepath)) {
        // Check if file type is allowed
        $allowedTypes = [&#039;pdf&#039;, &#039;txt&#039;, &#039;jpg&#039;, &#039;png&#039;];
        $fileExtension = pathinfo($filepath, PATHINFO_EXTENSION);
        
        if (in_array($fileExtension, $allowedTypes)) {
            // Display the file
            header(&#039;Content-Type: &#039; . mime_content_type($filepath));
            readfile($filepath);
            exit;
        }
    }
}

// Handle invalid file or unauthorized access
echo &quot;Invalid file or unauthorized access.&quot;;
?&gt;

Keywords

file permissions directory traversal input validation XSS attacks secure coding practices

What security considerations should be taken into account when displaying files in a directory with PHP?

Keywords

Related Questions