Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Which characters should I escape/sanitize for file names?

Tags:

php

I need to sanitize some data which will be used in file names. Some of the data contains spaces and ampersand characters. Is there a function which will escape or sanitize data suitable for using in a file name (or path)? I couldn't find one in the 'Filesystem Function' section of the PHP manual.

So, assuming I have to write my own function, which characters do I need to escape (or change)?

like image 323
Rowan Parker Avatar asked Jun 26 '09 00:06

Rowan Parker


3 Answers

Instead of filtering out characters why not just allow [a-z0-9- !@#$%^()]? It is certainly easier than trying to guess every character that could potentially cause problems.

Your users shouldn't need a file with any other characters anyways, right?

like image 85
Nick Presta Avatar answered Nov 16 '22 03:11

Nick Presta


For Windows:

/ \ : * ? " < > |

For Unix, technically nothing, but in practice the same list as Windows would be sensible.

There's nothing wrong with spaces or ampersands as long as you're prepared to use quotes on command lines when you're manipulating the files.

(BTW, I got that list by trying to rename a file on Windows to something including a colon, and copying from the error message.)

like image 31
RichieHindle Avatar answered Nov 16 '22 02:11

RichieHindle


If you have the opportunity to store the original name in a database I would simply create a file with a random hash (mt_rand()/md5/sha1). The benefit would be that you don't rely on the underlying OS (characters/path length), the value or the length of the user input and additionally it is really hard to guess/forge a file name. Maybe even a base64 encoding is an option.

like image 35
merkuro Avatar answered Nov 16 '22 03:11

merkuro