First off let me explain a bit about what this script does. I've got a website that has a database of 60,000 files in 7,000 folders. I need to find a way to have users safely navigate through these folders WITHOUT sending them to the actual files. I've come up with a way to list the folders and correctly set the session to know which folders to be navigating.

My problems are as follows:

1. Alphabetical order... NO clue why the script reads in random order, is there something I can do to fix this?
2. Tables... how would I export the data into a two column table?
3. Second level navigation. After the first folder is chosen, I'm having trouble getting the script to read WHERE to send the second folder choice.
4. Files:
.... a. After my users choose the first folder, then the second folder, they will see a list of files. Instead of linking directly to these files, I want to link them to a page which KNOWS what the file's URL is, but its not a direct download link (download.php?fold=a&art=andrew&file=Some File.ini)
5. As it is, and depending which category the user chooses... its listing up to 500-700 folders... how would I change this so it lists approx 20 at a time then shows all the different page URL's? (Page Number: 1, 2, 3, 4, ect...)
6. How do I prevent Directory Transversal attacks with this script? Playing around I realized I could fool with the URL and ../../../ so I need to know how to secure this script as I have a LARGE amount of sensitive data on my servers... i have 18 domains, all of which are full production websites.

I've gotten the script to work SOMEWHAT so far... but I'm having trouble working those few bugs out. Any assistance at all will be greatly appreciated... even just a nudge in the right direction will help me out quite a bit.

Heres the code:




Good luck!

EDIT # 1

I think I've found a way to bypass my problems...

If I send the user to a second page, rather than checking all the variables and choosing which function to use... I can bypass the check(); function all together.

I'm going to test that and see how it works... but in any event, I STILL need to know why this script isn't working as it should be.

Thanks in advance!


EDIT # 2

About the Directory Transveral... this script uses the opendir() function, and I'm not sure if that is vulnerable? Yes, you can see the FILES that are in the directories... but you can't EXECUTE or OPEN these files due to the command in the pagination URL not being fopen();



am I correct with this?

This post has been edited by pr4y: 11 Oct, 2008 - 01:07 AM

Is there a need to show users the real directory and file names? Personally, if hiding the file structure was that critical, I'd keep everything database-driven. You could create an imaginary folder hierarchy within the database (which the users see), with records pointing to the real files. When the user chooses to download the file "/abc/xyz.txt", you query the database for the real file path and name, and deliver it to them under the false name. That way they never know where the file is stored, or what it's really called.

2¢

Also by useing the database, you can use the "limit" statement in your query and that will be able to get you a set amount of results, you then can create a "page" system that would use some kind of division statement to determin the number of pages, and have the limit be used in a variable so your page number tells the limit what limits to set (ie page two would probaly want to be limit of 21-40 since you alread showed the limit of 20 on page one. Then you can also use this to show alpha order, or other orders if you desire, based on the ORDER BY in your query, all in all, I think you would be much better off by having your files linked from the data base.

But when it comes time for the user to download the file, you have to link to the file and that will show anyone paying attention where this file is.

I had considered using a database driven structure when I first started this project but my only problem is HOW I can import 7000+ folder names and almost 60,000 file names into a DB?

I tried writing a script to just dump a list of all the directories subdirectories and filenames but I never got further than reading the CURRENT FOLDER, or the folder that I set as the readdir();

Thanks for the advice, I think I'm going to reconstruct to database driven fileset... but now my MAJOR problem is how the hell I'm going to get the database structure with almost 70,000 records that I don't have. All I have is the directories and the files... which is why I went with this method in the first place.

This post has been edited by pr4y: 11 Oct, 2008 - 11:07 AM

if I was making this i would start a database table with 3 fields: id, inside of, dir name.

id would be use to manipulate the fields
inside of would be the dir that your dir name is inside of. (unless it's the top dir then use a place marker type name)
and dir name is the name.

then when your current dir is say "one" have your code show all the dirs where the inside of field is "one".

this would also use another db table for the files kind of the same way, but because it's me and I like to keep things seperate, having another field for the file type.

I understand database structure, but my question now is HOW I can import these 70,000+ file names / directories into a MySQL database? I tried writing a script to list all the directories, subdirectories, and files within the sub-d's... but I couldn't get the script to read anything past the current, or declared directory path.

Is there a way I can use PHP to list ALL the files? Without a text list of the files, migrating this project to a database driven site will be impossible, as I have nothing to IMPORT into the database. My directory structure is as follows:

/path/to/tabs/A
/path/to/tabs/B
/path/to/tabs/C
ect...
/path/to/tabs/A/Andrew/
/path/to/tabs/B/Brian/

just as an example... to see the actual directories themselves, go to:

http://files.theguitarpros.net/tabs

(as you can see, some of these folders have up to 700 subfolders... so its not like I can just copy + paste all the names, there is just TOO MANY files to have to work with... my only option at this point is software / script that will export ALL the files, and ALL the folders... seperately.

This post has been edited by pr4y: 11 Oct, 2008 - 12:31 PM

Why aren't you using the scandir and is_dir functions?

try creating your code again and when you get stuck on that part ask for help on that part but like he said, scandir and is_dir will be what you need.

EDIT: just a thought, remember that by doing that much information your code might right past the timeout and then would stop at some point, before finishing. See if you can break it up some, say like after 50 runs print a page with a continue button, however many runs you want. But if you forget about this then you won't know where it stopped, this would be bad and cause you to go looking for it.

This post has been edited by engale: 11 Oct, 2008 - 08:24 PM

Not sure if this is what you looking for but hey worth a shot:


it lists all files an dirs you can click the dirs and it will enter

What's needed is a recursive function that takes every file in a folder and stores its path in a database, then calls itself when it finds a folder.

Edit:
That's about as far as I'm comfortable going with this because I don't want my free advice to compete with some one who could use a little money:
http://www.rentacoder.com/RentACoder/misc/...questId=1024852

This post has been edited by CTphpnwb: 13 Oct, 2008 - 01:55 PM

Someone who could use a little money... a little... $5... for a dude from India... cheap coders ftw

Anyways, These scripts don't seem to be working for me, as every time they time out. I have 5 bucks I can spare, so it will save me the time of countless hours trying to figure out wtf I'm doing wrong.

Thanks for all the help anyways.

This post has been edited by pr4y: 13 Oct, 2008 - 09:00 PM

Yeah, that site is heavily biased in favor of the buyer. It should be buyers that do the bidding, not the coders, but that would take some thought to set up a system. Just counting the time it takes to get a job, a coder is looking at less than minimum wage before they start coding.

If you're confident the script will eventually work, you might try setting the time limit to unlimited:
http://www.php.net/set_time_limit
set_time_limit(0);

Edit: If that doesn't do it for you, I'll place a bid on rentacoder, but I'm not going to underbid anyone.

This post has been edited by CTphpnwb: 14 Oct, 2008 - 09:57 AM