I mean in the null byte string iam testing against the null string, in the backwards error test what? if the submitted param contains slashes and dots?

Apart from that you didnt point to me whats wrong with the if structure that you say its always false.

if the submitted param contains slashes and dots?

You aren't testing against that. You just say 'else' without a test. So if there's no null byte in the param, you assume there's a "*Backwards Directory Traversal*".

--shmem

_($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                              /\_¯/(q    /
----------------------------  \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}

You asked why you get backwards error, this is why, because your code is

if ( almost-always-false ) {
  hey null  byte
} else {
  hey backwards error
}
[download]

Yes, but you didnt explain to me why this is almost-always-false as i asked you in response to your first answer

How is it possible a selected submitted valid drop down item to pass this if block? Items in the drop down menu doesnt contain null strings only url hack attempts do.

Please exlain yourself so i can understand.