Reliable way of identifying the current directory?

La_Parka

My site is divided into two directories---the root for public content, and http://www.mysite.com/admin/ for administrative functions. Some scripts are used in both directories, and I'd like an easy way to determine whether one is being executed from the admin directory.

At the moment, I do the following:

$adminDir = "./admin/";

// We're in the admin directory, so execute this code
if (strstr($_SERVER['PHP_SELF'], substr($adminDir, 1)))
{
	if ($user['isAdmin'] != 1)
	{
		exit();
	}
}

Is this a reliable method of finding this out? Or is it easily breakable/exploitable?

NogDog

I can't think off-hand how it could be exploited, unless someone created another directory on your site named "admin".

I'd probably use the [man]getcwd/man function, just because it's there:

if(basename(getcwd()) == 'admin')
{
   // we're in the admin directory
}

bradgrafelman

Actually, IIRC, PHP_SELF is under the "don't trust it - the user has access to it" category, and that REQUEST_FILENAME is more secure.

MarkR

I Believe you should be able to do a dirname() on $_SERVER['SCRIPT_FILENAME'] - obviously check this!

Mark