I have a php script which takes a relative pathname via $_GET, reads that file and creates a thumbnail of it. I dont want the user to be able to read any file from the server. Only files from a certain directory should be allowed, otherwiese the script should exit().

Here is my folder structure:

files/ <-- all files from this folder are public
my_stuff/ <-- this is the folder of my script that reads the files

My script is accessed via mydomain.com/my_stuff/script.php?pathname=files/some.jpg. What should not be allowed e. g.: mydomain.com/my_stuff/script.php?pathname=files/../db_login.php

So, here is the relevant part of the script in my_stuff folder:

...
$pathname = $_GET['pathname'];
$pathname = realpath('../' . $_GET['pathname']); 

if(strpos($pathname, '/files/') === false) exit('Error');
...

I am not really sure about that approach, doesnt seem too safe for me. Anyone with a better idea?