[SOLVED] Filtering Input: File names

[br0ken]

I'm forced to take in a string such as 'customers' or 'orders' and use that as part of a file name.

 

Here is some sample code:

 

$str = $_GET['q']; // q = customers
$fname = $path.$q.".txt";

 

What ways can I make this method secure?

[MadnessRed]

well firstly I would addslashes().

 

I would also filter out only the chars you want. i will psot a code in a sec

[rhodesa]

you say 'such as'...does that mean there is a list? i would just make an array of possible values and use in_array() to make sure it's in there

 

or, use regex to make sure it's something good:

if(!preg_match('/^\w+$/',$_GET['q'])) die("That is not valid");

[br0ken]

Unfortunately the value could be anything as the user creates custom files.

 

My thoughts were to use urldecode(), realpath() and then basename().

 

Once this has been done, I would use file_exists() to check whether the file exists.

 

Would this be a good solution?

[rhodesa]

you don't need urldecode(), as anything that comes into $_GET is already decoded by PHP. the easiest thing (in my opinion) is to just replace any unwanted characters with an underscore. so, usually i do this:

 

$q = preg_replace('/[^\w]/','_',$_GET['q']);
$fname = $path.$q.".txt";

[br0ken]

And what unwanted characters will that remove?

[rhodesa]

\w is the same as a-zA-Z0-9_ if you are familiar with regex. so basically if it's not an alphanumeric (letter or number) or an underscore, it will be converted.

[br0ken]

OK, thanks for that.

 

I've never managed to master Regex so I'll look for some tutorials on Google