I used scandir, then printed the directories, then printed the files.
I got this:
The little dots at the top have me freaked out now. I clicked on the ".." one to see what would happen.
Since my file system is designed to let the user click and navigate around, the .. successfully took me up a directory level, and made some rather sensitive security/login information from my php scripts plainly visible.
The offending code is here...
I didn't think I'd need to escape the get variable, so obviously I am opening myself up there...
I have removed the "." and ".." links from appearing, and have made it so that only files with certain extensions will appear, but I am still nervous. There is nothing stopping anyone from putting \.. in the get variable themselves to find out about my file structure (idk if that matters).
Mostly, I am worried that there must be far more harmful things that can be put in there... I feel wide open for insertion, and I don't know what I can do in this case.