Chad Walstrom writes: > Can you build a dictionary list corresponding to the filenames so that > the visible URL that people see is something like > "http://domain.tld/location/FISH4310PREL2Q0OU", or submit the form > variable as the hash. Then find the file based on the hash...? That's not a great method, because you then need to store a list of all the hashes and their corresponding values. Unless you aren't using a secure hash, in which case you are relying on security through obscurity. What you want to do here is authenticate the filename passed. In other words, you want to make sure that you generated the filename and it has not been tampered with. To do this, use a secure hash function such as MD5 or SHA1. Pick a random string to use as a key. Prepend this key to your filename and generate a hash for the string. Include both the filename and the hash as variables. To determine if a passed filename is trusted, perform the same procedure as above and compare the generated hash to the passed hash. If they match, it means the filename can be trusted. I actually wouldn't use this method here. In fact, it looks like the OP should be using SSI instead of PHP. But at any rate, he is violating a fundamental programming rule, especially for web applications: NEVER TRUST USER INPUT In his case, a simple basename() call would have prevented the problem. -- David Phillips <david at acz.org> http://david.acz.org/ _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list