Disallow Spaces in Upload

bbeban

Hi All,

I am begging for help. I have a page that uploads files and my users are including spaces in the filenames, which goofs up the links in the email and is generally not good. I need to add a little bit of script that says if filename has space, show an error (a Javascript alert would be ideal, or a redirect to a new page) and prevent the user from submitting. If no space, everything proceeds as normal. This script also has to ignore spaces in the path, since the users are all on Windows and are often loading from the "Documents and Settings" directory structure. I am using Pure PHP Upload, by the way, and they don't provide this functionality as part of the extension -- which is shocking to me.

Can someone provide me with a code snippet that I can add to my existing code? A million thanks and the gratitude of a stressed-out database department would be yours.

planetsim

You can rename the file

$newName = str_replace(" ","",$FILES['formname']['name']);

bbeban

OK, this could work... do i insert the value $newName into the DB then?

bbeban

Right on, I figured it out. Thanks for the nudge, planetsim! If anyone wants the code to make Pure PHP Upload 2.0 rename files with spaces to underscores, respond to this posting with that request and I will paste the code in.

P.S. I added a Javascript alert to inform the user that if he or she hits submit, the spaces in the filename will be changed to underscores so they can fix it if it's unintentional, or just hit submit and get the name changed. I can post the JS too if you request it, folks.

dalecosp

How about [man]htmlentities[/man]??

bbeban

Already got it using planetsim's suggestion as a jumping-off point, dalecosp, but thanks for responding.

-- B

mcrbids

The problem with planetsim's post is that it's too limited in scope. It accounts for spaces, but what about tabs? New Lines? Underlines? Dashes? Quotes?

There are a lot of characters that can cause problems, not just spaces.

The answer is to define what you will ACCEPT and then reject anything else. This is best done with an expression of some kind. Here's some snippets using preg:

match not (a-z, 0-9, ., _, -)

$match="/[^{.-_A-Za-z0-9]/";}
if (preg_replace($match, '', $in)!=$in)
die ('Invalid characters have been input');

or, if you'd rather "fix it" and continue,

$in=preg_replace($match, '', $in);
.... continue on...

For security purposes, this is one of the best ways to go.