You need to add the relative directory path (../../) to your "if" logic

Also, you should scrub that user-supplied data to be certain there are no malicious characters in the category variable.

I don't know why I didn't think of that. Thanks for the help, and the tip.

The toothpick ../../../../ syndrome has been noted to drive programmers to the brink of insanity on large file systems. :-)

$category =(isset($_POST['category']) and preg_match('/^\w+$/',$_POST['category']))?$_POST['category']:null; 
// Or \d+ if numeric 
if ($category) { 
 $url = "/images/$category"; 
 $path = $_SERVER['DOCUMENT_ROOT'] . $url; 
 // 
 if (!is_dir($path)){ mkdir($path); } 
} 
else { echo "Invalid category"; } 

echo "Server path for moving, writing, deleting is $path, url you would use in output is $url";

Hi all,

One thing has always confused me, and this is a prime example:-

$category = @$_POST['category'];

Why suppress the errors in an instance like this? surely you would prefer it if you knew there was something wrong.. I always avoid doing this just so that I can eradicate anything erroneous from the script. just my opinion there, please enlighten me if I have missed "a day in class" somewhere :)

And yes, I totally echo Rocknbill's thoughts on toothpick syndrome, one method I like to use it this:-

define('SERVER_PATH', dirname(__FILE__). "/"); //current dir..

returns the entire path (define it in the index file in the root of your website ), including the trailing "/", I just think it's handy to put it in a constant, then it's available throughout the scope of your script.

Cheers,
MRb

Thanks for the tips. I will try them out.

@Matthew - I normally do not use the @$_POST, I had just been debugging the code trying to get it to work.

I appreciate the responses from everyone, this forum is always very helpful.