18 Oct 2009, 10:09pm

leave a comment

Safer php filenames

So you’re storing user files in your PHP app, but you are worried about security (as you should). Two bad things you might encounter (amongst others): a filename with “../” so as to overwrite arbitrary files on your server, or a filename with .php in it (to run arbitrary code).

I read this idea, but his method didn’t cut it for me.

Here’s a better one:

$str = preg_replace(array('/[^A-Za-z0-9_\-.]/', '/.php/'), '_', $str);

This nukes anything that’s not Alphanumeric or -,.,_. It also nukes any .php sequences.

For this I think a whitelist is better than a blacklist. Should I block anything else out?

Test case:

$str = '../tryToOverWiteMyScriptNow.php';
$str = preg_replace(array('/[^A-Za-z0-9_\-.]/', '/.php/'), '_', $str);
echo $str;

*name

*e-mail

web site

leave a comment


 
  
 

Recent Posts

GPS Log Ad

Linkroll


free winrar download

free winrar download

winrar download free

winrar download free

windows 7 key generator

windows 7 key generator

windows 7 activation crack

windows7 activation crack

free winzip

free winzip

free winrar

free winrar

winzip free download

winzip free download

winrar free download

winrar free download

windows 7 crack

windows 7 crack

winzip free download full version

winzip free download full version

winzip activation code

winzip activation code

windows 7 product key

windows 7 product key
\n