Insert uploaded files path to db

Forum Moderators: coopster

Message Too Old, No Replies

Insert uploaded files path to db

bkeep

5:35 am on Aug 1, 2009 (gmt 0)

This may be remedial but I have looked around and could not find any definitive answer anywhere.

What is the proper way to protect against poorly named files? I currently have a script where users can upload images. I check to make sure the proper extension is in place, one associated with an image type and verify the max size. I also check and replace spaces and ampersands with dashes or underscores.

I was using a function that would loop through the file array and check if magic quotes was on, does get_magic_quotes_gpc affect the $_FILES global by adding slashes? I recently found out that on Windows systems the path separator was being stripped so c:\apache\temp\ became c:apachetemp.

At this point to allow for Windows compatibility I realize I will have to create a different function to check file names but would like a few suggestions.

What are some other things I should be checking for or is that sufficient?

Thanks for any advice
Brandon

eelixduppy

6:40 am on Aug 2, 2009 (gmt 0)

Magic quotes will only escape GET, POST, and Cookie data, so you should be fine with the $_FILES superglobal.

As for naming files it is usually a common security practice to rename every file uploaded by someone to the server. When I make files I usually add some relevant meta-data to its name and store it in it's appropriate place on the server, that way everything is formatted the same way and allows for easier manipulation if need be. If you can find a way like this to name your files IMO that would be best.