Restriciting chars in file names

Anon

I want to restrict the names of uploaded files to only letters, numbers, hyphens, underscores, and periods. Is there a PHP function that will perform this check?

[deleted]

A simple regexp will do the trick:

if (preg_match("/^{[.\'_-a-zA-Z0-9]+$/",$filename))}
{

filename is ok

}
else
{
#filename is not ok
};

Mind you, that check will not happen untill the file has been uploaded and that's waaaaay too late.

I suggest you accept the file, store the 'uploaded' name somewhere, and use your own 'random' name to save the file, and then start checking the filename.
If the name is ok, rename the uploaded file to the real name. If not, you can ask the uploaded to enter a new name, without having to upload the file again.

Anon

Thanks!

That is exactly what I need. I think that this check will work just fine. An uploaded file is stored in a temp directory until you copy it to its final destination. Just perform the name check before copying the file and that should do the job. Or am I missing something?

toma42

use move_uploaded_file() and apply the regex to the original file name upon moving...like

$newname = regex_here($HTTP_POST_FILES['userfile']['name']);

move_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'], $newname);

Of course you will need to modify that to take care of directories.

[deleted]

Nope.
The regexp only checks to see if a string meets a certain requirement. it does NOT change the filename.

The normal sequence of events for a file upload is this:

User uploads file
File is saved as a temporary file by PHP
Script moves the uploaded file to it's proper filename, temporary file is deleted.
User is happy.

But in your case the filename may not be valid,
which means that you can't just move the temporary file.
But if you don't move the temporary file, it file will be erased when the script exits.
So, instead of moving the file from temporary to it's proper filename,
you move it to a storage filename. That way, the file is not erased when the script exits, and you can safely ask the uploader for a new and valid filename.
Once you have the new and valid filename, you can move the storage file to it's proper filename.