上传前如何使用php获取安全文件名

Question

I replace the file name with a random string, a hash (md5/sha1),uniqid() or a timestamp or etc .....

Example Using uniqid():

9d24707b98e4ddfae9e321ef4f502241.jpg 

Example wordpress sanitiza file name function:

function sanitize_file_name( $filename ) {
            $filename_raw = $filename;
            $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
            /**
             * Filter the list of characters to remove from a filename.
             *
             * @since 2.8.0
             *
             * @param array  $special_chars Characters to remove.
             * @param string $filename_raw  Filename as it was passed into sanitize_file_name().
             */
            $special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
            $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
            $filename = str_replace($special_chars, '', $filename);
            $filename = preg_replace('/[\s-]+/', '-', $filename);
            $filename = trim($filename, '.-_');

            // Split the filename into a base and extension[s]
            $parts = explode('.', $filename);

        // Return if only one extension
            if ( count( $parts ) <= 2 ) {
                    /**
                     * Filter a sanitized filename string.
                     *
                 * @since 2.8.0
                     *
                     * @param string $filename     Sanitized filename.
                * @param string $filename_raw The filename prior to sanitization.
                     */
                    return apply_filters( 'sanitize_file_name', $filename, $filename_raw );
            }

            // Process multiple extensions
            $filename = array_shift($parts);
            $extension = array_pop($parts);
            $mimes = get_allowed_mime_types();

            /*
             * Loop over any intermediate extensions. Postfix them with a trailing underscore
             * if they are a 2 - 5 character long alpha string not in the extension whitelist.
             */
            foreach ( (array) $parts as $part) {
                    $filename .= '.' . $part;

                    if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
                            $allowed = false;
                            foreach ( $mimes as $ext_preg => $mime_match ) {
                                    $ext_preg = '!^(' . $ext_preg . ')$!i';
                                    if ( preg_match( $ext_preg, $part ) ) {
                                            $allowed = true;
                                            break;
                                    }
                            }
                            if ( !$allowed )
                                    $filename .= '_';
                    }
            }
            $filename .= '.' . $extension;
            /** This filter is documented in wp-includes/formatting.php */
            return apply_filters('sanitize_file_name', $filename, $filename_raw);
    }

my way is secure/safe way Or I need to Sanitize file name with any class/function Or Both Way Combination ?

Answer 1

The best thing to do is to have an on-disk file name that isn't based off any predictable data by the user. You can simply use the ID number of the asset as its metadata in your database. No file name extension. Don't leave it in the web server's document root.