probably down to the server configuration

Are you running your server chroot-ed? There's nothing in my configuration that'd stop the www-data user from accessing stuff outside /var/www (and it has to run like that -- some things shouldn't be in the public webspace, but ought to be accessible to the webserver user).

Four options occur to me:

1. Turn the path given into a fully-qualified path and then check that it's a child directory of the path containing the PHP script. This assumes that I want to allow the illusion of subdirectories.

2. Alternatively, I could use a regex to turn slashes into underscores, e.g. and then disallow any other directory traversal.

3. Turn the file access into another HTTP access and allow the webserver to deal with it. Not a great idea from a usage point of view.

4. Stuff the content into a database.

I think I'll probably go with option 1 for this website. I want to keep the content in CVS, rather than in a database (the database means I'll need some kind of editing screen as well, which is a pain).