Using Relative Paths for File Access

Usually, files are opened (or searched) relative to the path of the document. To be sure that you are searching for the current script’s path, you can use a two-step approach: The constant __FILE__ contains the full path of the current script, and the function dirname() determines the directory name portion of a path.

__FILE__ constant to determine the absolute path of the current script:

 echo __FILE__ ;
 #Prints: D:\xampp\htdocs\example.php

__DIR__ constant to determine the absolute directory path of the current script:

 echo __DIR__ ;
 #Prints:  D:\xampp\htdocs


To use a path taking into consideration the directory separator character, which is / on UNIX/Linux, \ on Windows, and : on Mac OS X. Usually, / works fine on most systems, but you should note the requirements of the system on which you want to host your site.

It is recommended to use the DIRECTORY_SEPARATOR constant which represents the current OS directory (path) separator:

 echo __DIR__ . DIRECTORY_SEPARATOR . 'img.jpg';
 # On my Windows OS: D:\xampp\htdocs\img.jpg
 # On Unixed based OS: /usr/local/htdocs/img.jpg

Using basename() function to retrieve the filename (base name) of the given path:

 //Get the filename portion of a path
 echo basename('/var/myfiles/today.txt');
 #Prints: today.txt
 echo basename(__FILE__);
 //Prints: example.php

Using dirname() function to get the given file’s path:

 //Get path of a file
 echo dirname('/etc/path/file.txt') . '<br>';
 #Prints /etc/path

 echo dirname('css/404.css') . '<br>';
 //Prints: css
 echo dirname('abc.txt') . '<br>';
 # Prints: .

Using realpath() function to resolve paths to canonicalized absolute pathnames:

 echo realpath('.') . '<br>';
 # D:\xampp\htdocs
 echo realpath('abc.txt') . '<br>';
 # D:\xampp\htdocs\abc.txt
 echo realpath('../img/bitnami.ico');
 # D:\xampp\img\bitnami.ico

Using pathinfo() function to get information about a file path:

 $info = pathinfo(__FILE__);

 echo $info['dirname'] . '<br>';
 # D:\xampp\htdocs

 echo $info['basename'] . '<br>';
 # example.php

 echo $info['extension'] . '<br>';
 # php

 echo $info['filename'];
 # example

How to get the file extension with pathinfo()?

The pathinfo($path, PATHINFO_EXTENSION) returns the file extension:

 $path = 'images/dog.jpg';
 echo pathinfo($path, PATHINFO_EXTENSION);
 # jpg 

The pathinfo() function takes two parameters, the first parameter is the filename and the second argument is a constant that tells the function to return only the specific part of the path. This function accepts the following constants as the second parameter:

 $path = '/usr/local/htdocs/abc.txt';

 echo pathinfo($path, PATHINFO_DIRNAME) . '<br>';
 # /usr/local/htdocs

 echo pathinfo($path, PATHINFO_BASENAME) . '<br>';
 # abc.txt

 echo pathinfo($path, PATHINFO_FILENAME) . '<br>';
 # abc
 echo pathinfo($path, PATHINFO_EXTENSION);
 # txt

Securing File Access

If you are using files with PHP, avoid retrieving the filename from external sources, such as user input or cookies. This might allow users to inject dangerous code into your website or force you to load files you did not want to open.

Some coders had a self-programmed content management system that created uniform resource locators (URLs) like this: index.php?page=subpage.html. This just loaded the page subpage.html into some page template and sent this to the browser. But what if the following URL is called: index.php?page=../../../etc/passwd? With some luck (or bad luck, depending on your point of view), the contents of the file /etc/passwd are printed out in the browser.

This kind of attack called directory traversal attack is quite common on the Web. However, you can avoid becoming a victim in several ways:

  • If possible, do not use dynamic data in filenames.
  • If you have to use dynamic data in filenames, use basename() to determine the actual name of the file, omitting the path information.
  • Set the php.ini directive open_basedir. This expects a list of directories where PHP may access files. PHP checks the basedir rules whenever a file is opened, and refuses to do so if it isn’t in the appropriate path.
  • Set include_path to a directory you put all to-be-used files into and set the third parameter to fopen() to True, using the include_path.

Working with Files in PHP: