PHP: How to sanitize uploaded filenames?

Question

I have a PHP application.

I allow users to upload files to my web application.

Question: What\'s the best way for me to sanitize the file n

Answer 1

I would just run a simple regex that replaces any non alphanumeric characters with an underscore (or just remove these character altogether). Make sure you preserve the extension of course.

If you want to go a bit further, you could use magic mime extension to ensure the file is the same format that the extension says it is.

EDIT: To avoid filename collisions in a directory, you could append a md5 of users IP + current time to the filename.

Answer 2

If you're not against losing the actual filenames, what I usually do is create a hash of the filename and set the filename to that, if whatever you're developing has loads of pictures being uploaded it helps avoid conflicts where two filenames are named alike and overwrites occur.

hash('md5', $_FILES["filename"]["tmp_name"]);

Answer 3

To avoid filename collision just check whether given or generated filename doesn't already exists:

do {
   // Generate filename, eg.:
   $filename = md5(uniqid()) . $fileExtension;
} while (file_exists($filename));

That gives you 100% sure that the filename is unique. Using md5 (or any other hash algorithm) ensures you that the filename is secure - and easy to handle.

Answer 4

Ciao, this function also removes all the points and then I create the clean string with the extension.

function sanitaze_upload_file($data)
{
    $imgName   = $data;
    $indexOFF  = strrpos($imgName, '.');
    $nameFile  = substr($imgName, 0,$indexOFF);
    $extension = substr($imgName, $indexOFF);
    $clean     = preg_replace("([^\w\s\d\-_~,;\[\]\(\)])", "", 
    $nameFile);
    $NAMEFILE  = str_replace(' ', '', $clean).$extension;
    return $NAMEFILE;
}

Answer 5

I bet that you also store some information about the file in the database. If this is correct, then you can use the primary key (ID) as a filename on your server and preserve the original filename in the database. This gives you greater flexibility, because you can manipulate the metadata without renaming the actual file.

Answer 6

Instead of sanitizing filenames specified by the user, use any other unique identifier for that photo and store that as the filename. I prefer using user ID's which are numeric and always unique.

move_uploaded_file($_FILES["tmp_name"],"/home/yourname/".$user_id));

You can then fetch the image from any location (say, S3 or even your own server) by just knowing the user's ID. You don't even need a attribute in your database to store image URL's.