br0ken Posted March 10, 2009 Share Posted March 10, 2009 I'm forced to take in a string such as 'customers' or 'orders' and use that as part of a file name. Here is some sample code: $str = $_GET['q']; // q = customers $fname = $path.$q.".txt"; What ways can I make this method secure? Quote Link to comment https://forums.phpfreaks.com/topic/148820-solved-filtering-input-file-names/ Share on other sites More sharing options...
MadnessRed Posted March 10, 2009 Share Posted March 10, 2009 well firstly I would addslashes(). I would also filter out only the chars you want. i will psot a code in a sec Quote Link to comment https://forums.phpfreaks.com/topic/148820-solved-filtering-input-file-names/#findComment-781482 Share on other sites More sharing options...
rhodesa Posted March 10, 2009 Share Posted March 10, 2009 you say 'such as'...does that mean there is a list? i would just make an array of possible values and use in_array() to make sure it's in there or, use regex to make sure it's something good: if(!preg_match('/^\w+$/',$_GET['q'])) die("That is not valid"); Quote Link to comment https://forums.phpfreaks.com/topic/148820-solved-filtering-input-file-names/#findComment-781488 Share on other sites More sharing options...
br0ken Posted March 10, 2009 Author Share Posted March 10, 2009 Unfortunately the value could be anything as the user creates custom files. My thoughts were to use urldecode(), realpath() and then basename(). Once this has been done, I would use file_exists() to check whether the file exists. Would this be a good solution? Quote Link to comment https://forums.phpfreaks.com/topic/148820-solved-filtering-input-file-names/#findComment-781493 Share on other sites More sharing options...
rhodesa Posted March 10, 2009 Share Posted March 10, 2009 you don't need urldecode(), as anything that comes into $_GET is already decoded by PHP. the easiest thing (in my opinion) is to just replace any unwanted characters with an underscore. so, usually i do this: $q = preg_replace('/[^\w]/','_',$_GET['q']); $fname = $path.$q.".txt"; Quote Link to comment https://forums.phpfreaks.com/topic/148820-solved-filtering-input-file-names/#findComment-781503 Share on other sites More sharing options...
br0ken Posted March 10, 2009 Author Share Posted March 10, 2009 And what unwanted characters will that remove? Quote Link to comment https://forums.phpfreaks.com/topic/148820-solved-filtering-input-file-names/#findComment-781507 Share on other sites More sharing options...
rhodesa Posted March 10, 2009 Share Posted March 10, 2009 \w is the same as a-zA-Z0-9_ if you are familiar with regex. so basically if it's not an alphanumeric (letter or number) or an underscore, it will be converted. Quote Link to comment https://forums.phpfreaks.com/topic/148820-solved-filtering-input-file-names/#findComment-781533 Share on other sites More sharing options...
br0ken Posted March 10, 2009 Author Share Posted March 10, 2009 OK, thanks for that. I've never managed to master Regex so I'll look for some tutorials on Google Quote Link to comment https://forums.phpfreaks.com/topic/148820-solved-filtering-input-file-names/#findComment-781702 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.