Jump to content

Recommended Posts

I know, I know there has to be a better way for this concept, more so cause this hack I'm attempting is just failing horribly. So any help would be greatly appreciated. That said what I am trying to do is take a string which is inadvertently a file name, that gets renamed and moved. Which that aspect of it works peachy. However since its part of an upload process, and there is mySQL involved to the point of where I am storing the file name in the DB to call throughout different areas of the site, its being uploading through other means though. Anyway I'm paranoid and since I am storing in the DB the names of the files I want to remove any potential junk from the file name example: < > " ' & * % etc, you'll see what I mean with my little would be hack below what i am tempting to do. So if someone could help me out with a better way to do what I'm tempting to do that would be excellent.

 

	      $new_filename = microtime(true) . getmypid() . $_SESSION['crecsusername'] . "." . $img['extension'];
	  $new_filename = ereg_replace("'", "", $new_filename);
	  $new_filename = ereg_replace('"', "", $new_filename);
	  $new_filename = ereg_replace(' ', "", $new_filename);
	  $new_filename = ereg_replace("[", "", $new_filename);
	  $new_filename = ereg_replace(']', "", $new_filename);
	  $new_filename = ereg_replace("?", "", $new_filename);
	  $new_filename = ereg_replace('<', "", $new_filename);
	  $new_filename = ereg_replace('>', "", $new_filename);
	  $new_filename = ereg_replace('\\', "", $new_filename);
	  $new_filename = ereg_replace('/', "", $new_filename);
	  $new_filename = ereg_replace('@', "", $new_filename);
	  $new_filename = ereg_replace('!', "", $new_filename);
	  $new_filename = ereg_replace('#', "", $new_filename);
	  $new_filename = ereg_replace('$', "", $new_filename);
	  $new_filename = ereg_replace('%', "", $new_filename);
	  $new_filename = ereg_replace('^', "", $new_filename);
	  $new_filename = ereg_replace('&', "", $new_filename);
	  $new_filename = ereg_replace("*", "", $new_filename);
	  $new_filename = ereg_replace("(", "", $new_filename);
	  $new_filename = ereg_replace(')', "", $new_filename);
	  $new_filename = ereg_replace(':', "", $new_filename);
	  $new_filename = ereg_replace(';', "", $new_filename);
	  $new_filename = ereg_replace('{', "", $new_filename);
	  $new_filename = ereg_replace('}', "", $new_filename);
	  $new_filename = ereg_replace("|", "", $new_filename);
	  $new_filename = ereg_replace('~', "", $new_filename);
	  $new_filename = ereg_replace('`', "", $new_filename);
	  $new_filename = ereg_replace(",", "", $new_filename);
	  $new_filename = str_replace('&', "", $new_filename);
	  $new_filename = str_replace('>', "", $new_filename);
	  $new_filename = str_replace('<', "", $new_filename);
	  $new_filename = str_replace('"', "", $new_filename);
	  $new_filename = str_replace(' ', "", $new_filename);

 

The basis of this is also cause I have people who use the site who wont know better to change there file names even if i told them to. So I am trying to dumb down the whole process the best I can, I have also noticed alot of people have [] in there file names and what not or spaces, or whatever, and well sometimes that just breaks the whole damn script so I want to remove it for that too..

Link to comment
https://forums.phpfreaks.com/topic/139594-ereg-and-str-replace-issue/
Share on other sites

If you want to be this restrictive, use a whitelist rather than a blacklist. That is, state that filenames must only contain alphanumeric characters, plus underscores for example. You can't forget characters you didn't want to allow this way. It's a much easier regex this way too.

Maq, works like a charm..

 

GingerRobot, if you could emphasis on the how a bit more for me to gauge an idea to work with I would be more then happy to look into that as that sounds more ideal to me.. just cause of the reason I could simply forget something in the array or someone can figure something else out to get around it..

Maq, works like a charm..

 

GingerRobot, if you could emphasis on the how a bit more for me to gauge an idea to work with I would be more then happy to look into that as that sounds more ideal to me.. just cause of the reason I could simply forget something in the array or someone can figure something else out to get around it..

 

I think he's saying to use regular expressions rather than just an array list.

 

So, is it easier for you to list what you want to keep or what you want to disregard?

 

If it's easier to list what you want to keep, use REGEX, if not use the array, IMO.

Maq, works like a charm..

 

GingerRobot, if you could emphasis on the how a bit more for me to gauge an idea to work with I would be more then happy to look into that as that sounds more ideal to me.. just cause of the reason I could simply forget something in the array or someone can figure something else out to get around it..

 

Something like this:

 

$var = 'abc';
if(preg_match("|^[A-Z0-9_]{3,}$|i",$var)){
    //valid name
}

 

Which would only allow names that are composed of alphanumeric characters and underscores and are at least 3 characters long.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.