One surefire approach is to get a listing of the files in the directory that are valid for download. Then, see if the file requested is in that directory. If not, throw your error.

So, basically you have a list of valid files first, then compare the requested filename to the files in the directory. You will never get a match on '../../etc/passwd' so you would throw your error.

well, that wont do, because I I just plunge the files in the dir and a file is selected randomly in the script :)

well easily fixed with

$file = $_GET['song'];
if (!empty($file)){
$file = str_replace('../', '', $file);
}

a little more help is required though

I have a script on one page which reads a dir and randomly selects a file from the dir and returns the filename

I have an embedded mediaplayer on the same page, like this:

[/www.url.com/binaries/play.php?song=<?...] echo htmlspecialchars($music_arr[$rand_song]);?>

In the play.php script I store the songname in a variable, change the directory to the directory the file is really in (not binaries) and use fopen() to access the file
even though this is all working (fopen() is succesful), the song does not start to play?
I expected it to, but obviously there's an error in my thinking here.

any ideas?

You still have to write the file out to the browser ... fopen merely reads it into your script.

and I do this how exactly?
Thats what I dont get :D

First you send the browser the correct mime-type using header() and then you echo the file contents that you read in back to the browser.

Do I miss something?

$fp = fopen("$new_file", "r+");

where new file is anything you plug in or change

then:
if($fp) do a redirect or offer a link to the $music_file

<Edit>
By "redirect" I mean Header
</edit>