PHP mkdir with form input and security

You need to use $_POST to get the filename.

As has been posted in the comments, you also need to do something with $_POST['filename'] to insure that the user is not trying to post a relative path to your script and trying to create folders in locations that you don’t intend. At the very least make sure that the variable doesn’t contain ‘..’ Since you are prepending a path, I don’t think that you have to worry about a direct path to “” but you may also want to invalidate inputs with a “” in them.

Browse More Popular Posts

Leave a Comment