The first thing which comes to mind is
Why do you even allow users to create folders ?
If anyone finds out
what you are doing here and understands the procedure - its very possible
that you can get flooded (suddenly you have thousands of folders
here...)
But if this isn't your concern, imho you are facing here a very difficult problem which isn't trivial at all, because you've to do so many checks
i can give you a start - but be aware this isn't all... if you really set this to a productive state, the only debugging way is the result ;)
Check if the directory you get is a valid one.
For this matter i took the function from here, removed the /
and added a .
(in this case it will prevented that anyone steps out of your root directory)
The code below is a snippet but it should be clear what i intend and can easily be extended...
try
{
$strBaseDirectory = FCPATH . 'images/';
$strUserDirectory = $this->input->get('directory');
if (empty($strUserDirectory) || strpbrk($strUserDirectory, "\\.?%*:|\"<>")) throw new InvalidArgumentException('Invalid directory');
$strUserDirectory = trim($strUserDirectory, '/');
$arrPathParts = explode('/', $strUserDirectory);
if (count($arrPathParts) > 3) throw new InvalidArgumentException('To much folders...');
$arrPathParts = array_map(function($item) {
return trim($item);
}, $arrPathParts);
$key = array_search('', $arrPathParts);
if ($key) throw new InvalidArgumentException('One or more Foldername(s) contain only spaces...');
echo '<pre>';
print_r($arrPathParts);
$strUserDirectory = implode('/', $arrPathParts);
$blnDirectoryCreated = mkdir($strBaseDirectory.$strUserDirectory);
$arrJson = [
'success' => $blnDirectoryCreated,
'message' => 'whatever...'
];
}
catch (Exception $e)
{
$arrJson = [
'success' => false,
'message' => $e->getMessage()
];
}
$this->output->set_content_type('Content-Type: application/json');
$this->output->set_output(json_encode($arrJson));