Prevent access to files outside a certain directory in PHP

I've found out the hard way that my website can be hacked by passing a query string parameter that has many ../s to access files outside of the website directory, and then hack the website.

Is there a way, perhaps through the php.ini, to not allow file includes outside of a certain root directory?

To make things 开发者_如何学Pythonworse, most of what is running on the server is not my code. The website runs on the CMS Joomla! and the exploit was done through a purchased plugin.

I cannot change the scripts, if it has to come to that, I'll just uninstall the affected plugins.

Yes, PHP has a configuration parameter called open_basedir exactly for that purpose.
(don't forget to add to it at least session_save_path directory)

But! You have to check every passed parameter anyway!

if it's supposed to be just a filename, truncate it using basename() function. if it's supposed to be a directory, you can check it with such a code

$basedir = "/your/app/path/";
$realdir = realpath($basedir.$filename); //$filename is the parameter we checking

if (substr($realdir,0,strlen($basedir)) !== $basedir) {
  header ("HTTP/1.0 403 Forbidden"); 
  exit; 
}