Reputation: 1953
PHP: How to sanitize uploaded filenames?
I have a PHP application.
I allow users to upload files to my web application.
Question: What's the best way for me to sanitize the file names of the uploaded documents $_FILES["filename"]["tmp_name"] in PHP?
UPDATE:
Can I take an MD5 of the uploaded filename and use that as the newly assigned filename? If so, how do I do that in PHP?
Upvotes: 11
Views: 18333
Answers (6)
Reputation: 885
Ciao, this function also removes all the points and then I create the clean string with the extension.
function sanitaze_upload_file($data)
{
$imgName = $data;
$indexOFF = strrpos($imgName, '.');
$nameFile = substr($imgName, 0,$indexOFF);
$extension = substr($imgName, $indexOFF);
$clean = preg_replace("([^\w\s\d\-_~,;\[\]\(\)])", "",
$nameFile);
$NAMEFILE = str_replace(' ', '', $clean).$extension;
return $NAMEFILE;
}
Upvotes: 1
Reputation: 5416
Instead of sanitizing filenames specified by the user, use any other unique identifier for that photo and store that as the filename. I prefer using user ID's which are numeric and always unique.
move_uploaded_file($_FILES["tmp_name"],"/home/yourname/".$user_id));
You can then fetch the image from any location (say, S3 or even your own server) by just knowing the user's ID. You don't even need a attribute in your database to store image URL's.
Upvotes: 0
Reputation: 44376
To avoid filename collision just check whether given or generated filename doesn't already exists:
do {
// Generate filename, eg.:
$filename = md5(uniqid()) . $fileExtension;
} while (file_exists($filename));
That gives you 100% sure that the filename is unique. Using md5 (or any other hash algorithm) ensures you that the filename is secure - and easy to handle.
Upvotes: 2
Reputation: 12202
I bet that you also store some information about the file in the database. If this is correct, then you can use the primary key (ID) as a filename on your server and preserve the original filename in the database. This gives you greater flexibility, because you can manipulate the metadata without renaming the actual file.
Upvotes: 5
Reputation: 628
If you're not against losing the actual filenames, what I usually do is create a hash of the filename and set the filename to that, if whatever you're developing has loads of pictures being uploaded it helps avoid conflicts where two filenames are named alike and overwrites occur.
hash('md5', $_FILES["filename"]["tmp_name"]);
Upvotes: -2
Reputation: 1719
I would just run a simple regex that replaces any non alphanumeric characters with an underscore (or just remove these character altogether). Make sure you preserve the extension of course.
If you want to go a bit further, you could use magic mime extension to ensure the file is the same format that the extension says it is.
EDIT: To avoid filename collisions in a directory, you could append a md5 of users IP + current time to the filename.
Upvotes: 2
Related Questions
- string sanitizer for filename
- Bash sanitize_file_name function
- Removing spaces and commas from uploaded filename
- PHP File upload security - keeping the original file name
- PHP File uploading - accents and spaces in file names
- Undocumented sanitization in PHP file upload
- 'Normalize' uploaded filenames php
- Which characters should I escape/sanitize for file names?
- Using sanitize_filename() during File Upload in Codeigniter
- Should we sanitize $_FILES['filename']['name']?