Having FormMail create new directory on server

**Visualeyes** · 20-Mar-2010, 07:36 PM

Hi all

Is it possible to get FormMail to create a new directory in the file repository and name it with the value of '$realname'? It would be easier to search the server if each submission had its contents contained in a named directory.

I am not up to scratch with PHP so I wouldn't know how to code it, but does anyone have any ideas? I read elsewhere on the forum that subdirectories of the file repository constitutes a security risk, so I'm prepared to be told that it's not possible.

Thanks

**russellr** · 21-Mar-2010, 11:13 PM

Hi,

FormMail will only use the $FILE_REPOSITORY setting plus the basename of the uploaded file (or it's renamed value).

So,

PHP Code:


$FILE_REPOSITORY = "/home/you/www/repos";

with a file name of "/a/path/to/abc123.txt", will get stored as "/home/you/www/repos/abc123.txt"

The reason for this is to protect your server.

The main problem we have thought of is someone providing a pathname of "../../filename" - i.e. referencing parent directories.

Imagine, for example, if they could get FormMail to overwrite "../index.html" from "/home/you/www/repos"!

So, the answer is "no".

Of course, if we're really careful we could relax this restriction.

It would mean stripping out or detecting all and any file name hacks (such as "../").

But that's harder to be confident of.

If you really need this, then you can hire us (or someone) to provide a specific version of FormMail for you.