On 9/8/06, afan@xxxxxxxx <afan@xxxxxxxx> wrote:
I made a simple file uploader and it works fine (at lest I thought it works fine). But, people uploaded files with so crazy names, like "MOORE's 20% Off.pdf" ?!?!?!?!?
This is why it is so important that you understand how to filter data based on where you are going to use it. You need to ensure the chars used in the name you are using is going to be usable.
First, it was uploaded with slash in front of apostrophy - I fixed that. but, because of percent sign I can't link it.
This is why you need to generate a unique 'safe' file name to store the file as. If you are refering to a database entry that you keep track of, use the auto generated id with a safe 'name'. A Safe name would be any filename that is able to be saved on youre file system, the safest you could get is to filter the data with: $safe_filename = preg_replace('/[^a-zA-Z0-9/', '', $unsafe_name); That will ensure that $safe _filename only has chars with A-Z or 0-9 in it, of course it doesn't address the length limitations of the filename. As I mentioned earlier, if you are storing this uploaded file into a database use its auto generated id counter to ensure you dont have name clashes, so you end up with: $real_safe_filename = $safe_filename . $auto_generated_atomic_id . '.extention of file'; HTH, Curt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php