Ah, but the danger is from "../" or absolute paths, both of which let unsanitized input potentially refer to directories outside (or above, if you prefer) your script's directory. Regarding your loop failure, other than that conditional that I think shouldn't be quite like that, I'm not sure what to tell you. On a slightly-related note, I see that you're using the set-and-test construct:
Code:
That will of course run the else {} code if $_GET['portfolio'] is empty, otherwise it will create the path from the non-empty $_GET['portfolio'] variable; is that what you want?
Code:
if($portfolio = $_GET['portfolio']) {$dir = $mdir . '/' . $portfolio . '/'; } else { $dir = $mdir . '/'; }
That will of course run the else {} code if $_GET['portfolio'] is empty, otherwise it will create the path from the non-empty $_GET['portfolio'] variable; is that what you want?