Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unique and temporary file names in PHP?

Tags:

php

I need to convert some files to PDF and then attach them to an email. I'm using Pear Mail for the email side of it and that's fine (mostly--still working out some issues) but as part of this I need to create temporary files. Now I could use the tempnam() function but it sounds like it creates a file on the filesystem, which isn't what I want.

I just want a name in the temporary file system (using sys_get_temp_dir()) that won't clash with someone else running the same script of the same user invoking the script more than once.

Suggestions?

like image 987
cletus Avatar asked Jan 20 '09 04:01

cletus

People also ask

How to create unique file name in PHP?

I usually either create a UID using uniqid() function for the filename or create a folder with the name of the username who is uploading the file and leave the original filename. The disadvantage of the first one is that you will have to save the original filename somewhere to show to the user.

What is file temp name in PHP?

Definition and UsageThe tempnam() function creates a temporary file with a unique name in the specified directory. Note: If the specified directory does not exist, tempnam() may generate a file in the system's temporary directory.

What are PHP TMP files?

The tmpfile() function in PHP is an inbuilt function which is used to create a temporary file with a unique name in read-write (w+) mode. The file created using tmpfile() function gets automatically deleted when close using fclose() or when there are no remaining references to the file handle.

Where does PHP store temporary files?

php stores all temporary files, that includes uploaded files, in the temporary files directory as specified in the php. ini. Note that for uploads, those files might be removed as soon as the script the file was uploaded to was terminated (so unless you delay that script, you probably won't see the uploaded file).

2 Answers

I've used uniqid() in the past to generate a unique filename, but not actually create the file.

$filename = uniqid(rand(), true) . '.pdf';

The first parameter can be anything you want, but I used rand() here to make it even a bit more random. Using a set prefix, you could further avoid collisions with other temp files in the system.

$filename = uniqid('MyApp', true) . '.pdf';

From there, you just create the file. If all else fails, put it in a while loop and keep generating it until you get one that works.

while (true) {  $filename = uniqid('MyApp', true) . '.pdf';  if (!file_exists(sys_get_temp_dir() . $filename)) break; }
like image 153
Lusid Avatar answered Oct 12 '22 01:10

Lusid

Seriously, use tempnam(). Yes, this creates the file, but this is a very intentional security measure designed to prevent another process on your system from "stealing" your filename and causing your process to overwrite files you don't want.

I.e., consider this sequence:

  • You generate a random name.
  • You check the file system to make sure it doesn't exist. If it does, repeat the previous step.
  • Another, evil, process creates a file with the same name as a hard link to a file Mr Evil wants you to accidentally overwrite.
  • You open the file, thinking you're creating the file rather than opening an existing one in write mode and you start writing to it.
  • You just overwrote something important.

PHP's tempnam() actually calls the system's mkstemp under the hood (that's for Linux... substitute the "best practice" function for other OSs), which goes through a process like this:

  • Pick a filename
  • Create the file with restrictive permissions, inside a directory that prevents others from removing files it doesn't own (that's what the sticky-bit does on /var/tmp and /tmp)
  • Confirms that the file created still has the restrictive permissions.
  • If any of the above fails, try again with a different name.
  • Returns the filename created.

Now, you can do all of those things yourself, but why, when "the proper function" does everything that's required to create secure temporary files, and that almost always involves creating an empty file for you.

Exceptions:

  • You're creating a temporary file in a directory that only your process can create/delete files in.
  • Create a randomly generated temporary directory, which only your process can create/delete files in.
like image 33
Chris Cogdon Avatar answered Oct 12 '22 01:10

Chris Cogdon
Sign in to Comment

Related questions

How to avoid undefined offset
Magento - Quote/order product item attribute based on user input
jQuery: print_r() display equivalent? [duplicate]
Access PHP var from external javascript file
PHP: get number of decimal digits
Start and stop a timer PHP
Performance of try-catch in php
Slim PHP and GET Parameters
Laravel 5 change public_path()
Check if a class constant exists
What are register_globals in PHP?
How to get All input of POST in Laravel
Can't connect to HTTPS site using cURL. Returns 0 length content instead. What can I do?
How can I store and retrieve images from a MySQL database using PHP?
No PHP for large projects? Why not? [closed]
How do I assert the result is an integer in PHPUnit?
Elegant way to get the count of months between two dates?
Using PHP Replace SPACES in URLS with %20
PHP - remove <img> tag from string
PHPUnit: how do I mock multiple method calls with multiple arguments?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!