EREG and STR Replace Issue..

[monkeytooth]

I know, I know there has to be a better way for this concept, more so cause this hack I'm attempting is just failing horribly. So any help would be greatly appreciated. That said what I am trying to do is take a string which is inadvertently a file name, that gets renamed and moved. Which that aspect of it works peachy. However since its part of an upload process, and there is mySQL involved to the point of where I am storing the file name in the DB to call throughout different areas of the site, its being uploading through other means though. Anyway I'm paranoid and since I am storing in the DB the names of the files I want to remove any potential junk from the file name example: < > " ' & * % etc, you'll see what I mean with my little would be hack below what i am tempting to do. So if someone could help me out with a better way to do what I'm tempting to do that would be excellent.

 

	      $new_filename = microtime(true) . getmypid() . $_SESSION['crecsusername'] . "." . $img['extension'];
	  $new_filename = ereg_replace("'", "", $new_filename);
	  $new_filename = ereg_replace('"', "", $new_filename);
	  $new_filename = ereg_replace(' ', "", $new_filename);
	  $new_filename = ereg_replace("[", "", $new_filename);
	  $new_filename = ereg_replace(']', "", $new_filename);
	  $new_filename = ereg_replace("?", "", $new_filename);
	  $new_filename = ereg_replace('<', "", $new_filename);
	  $new_filename = ereg_replace('>', "", $new_filename);
	  $new_filename = ereg_replace('\\', "", $new_filename);
	  $new_filename = ereg_replace('/', "", $new_filename);
	  $new_filename = ereg_replace('@', "", $new_filename);
	  $new_filename = ereg_replace('!', "", $new_filename);
	  $new_filename = ereg_replace('#', "", $new_filename);
	  $new_filename = ereg_replace('$', "", $new_filename);
	  $new_filename = ereg_replace('%', "", $new_filename);
	  $new_filename = ereg_replace('^', "", $new_filename);
	  $new_filename = ereg_replace('&', "", $new_filename);
	  $new_filename = ereg_replace("*", "", $new_filename);
	  $new_filename = ereg_replace("(", "", $new_filename);
	  $new_filename = ereg_replace(')', "", $new_filename);
	  $new_filename = ereg_replace(':', "", $new_filename);
	  $new_filename = ereg_replace(';', "", $new_filename);
	  $new_filename = ereg_replace('{', "", $new_filename);
	  $new_filename = ereg_replace('}', "", $new_filename);
	  $new_filename = ereg_replace("|", "", $new_filename);
	  $new_filename = ereg_replace('~', "", $new_filename);
	  $new_filename = ereg_replace('`', "", $new_filename);
	  $new_filename = ereg_replace(",", "", $new_filename);
	  $new_filename = str_replace('&', "", $new_filename);
	  $new_filename = str_replace('>', "", $new_filename);
	  $new_filename = str_replace('<', "", $new_filename);
	  $new_filename = str_replace('"', "", $new_filename);
	  $new_filename = str_replace(' ', "", $new_filename);

 

The basis of this is also cause I have people who use the site who wont know better to change there file names even if i told them to. So I am trying to dumb down the whole process the best I can, I have also noticed alot of people have [] in there file names and what not or spaces, or whatever, and well sometimes that just breaks the whole damn script so I want to remove it for that too..

[Maq]

Put them all in an array and use str_replace.

 

$search=array("'", "\"", " ", "[" ........ );
$new_filename = str_replace($search, "", $new_filename);

[GingerRobot]

If you want to be this restrictive, use a whitelist rather than a blacklist. That is, state that filenames must only contain alphanumeric characters, plus underscores for example. You can't forget characters you didn't want to allow this way. It's a much easier regex this way too.

[monkeytooth]

Maq, works like a charm..

 

GingerRobot, if you could emphasis on the how a bit more for me to gauge an idea to work with I would be more then happy to look into that as that sounds more ideal to me.. just cause of the reason I could simply forget something in the array or someone can figure something else out to get around it..

[Maq]

Maq, works like a charm..

 

GingerRobot, if you could emphasis on the how a bit more for me to gauge an idea to work with I would be more then happy to look into that as that sounds more ideal to me.. just cause of the reason I could simply forget something in the array or someone can figure something else out to get around it..

 

I think he's saying to use regular expressions rather than just an array list.

 

So, is it easier for you to list what you want to keep or what you want to disregard?

 

If it's easier to list what you want to keep, use REGEX, if not use the array, IMO.

[GingerRobot]

Maq, works like a charm..

 

GingerRobot, if you could emphasis on the how a bit more for me to gauge an idea to work with I would be more then happy to look into that as that sounds more ideal to me.. just cause of the reason I could simply forget something in the array or someone can figure something else out to get around it..

 

Something like this:

 

$var = 'abc';
if(preg_match("|^[A-Z0-9_]{3,}$|i",$var)){
    //valid name
}

 

Which would only allow names that are composed of alphanumeric characters and underscores and are at least 3 characters long.