stackoom
  简体   繁体   中英

Check if string is valid filename

 原文  2015-06-27 13:36:51       php/ validation

Question

I have a question. I got a PHP script (PHP 5) which is saving a URL-Parameter $_GET['file'] to the variable $file . Is there now a way to check if this variable is a valid filename (for example: hello.txt and not /../otherdir/secret.txt ). Because without checking the $file variable a hacker would be able to use the /../ to get to my parent folder.

5 answers

solution1
 9 ACCPTED  2015-06-27 13:42:40

You may have a look in php's basename function, it will return with filename, see example below:

$file = '../../abc.txt';
echo basename($file); //output: abc.txt

Note: basename gets you the file name from path string irrespective of file physically exists or not. file_exists function can be used to verify that the file physically exists.

solution2
 4  2020-08-26 03:43:25

POSIX "Fully portable filenames" lists these: AZ az 0-9 . _ -

Use this code to validate the filename against POSIX rules using regex:

  • / - forward slash (if you need to validate a path rather than a filename)
  • \\w - equivalent of [0-9a-zA-Z_]
  • - . - dash dot space 
$filename = '../../test.jpg';
if (preg_match('/^[\/\w\-. ]+$/', $filename)) 
    echo 'VALID FILENAME'; 
else 
    echo 'INVALID FILENAME';

If you want to ensure it has no path (no forwardslash) then change the regex to '/^[\\w\\-. ]+$/' '/^[\\w\\-. ]+$/' .

solution3
 0  2021-05-08 06:57:18

Instead of checking valid characters why not looking for character you don't want . Also filenames are limited to 255 characters:

function valid_filename(string $filename)
{
  if (strlen($filename) > 255) { // no mb_* since we check bytes
    return false;
  }
  $invalidCharacters = '|\'\\?*&<";:>+[]=/';
  if (false !== strpbrk($filename, $invalidCharacters)) {
    return false;
  }
  return true;
}


valid_filename('hello');       // true
valid_filename('hello.php');   // true
valid_filename('foo:bar.php'); // false
valid_filename('foo/bar');     // false

Adapt $invalidCharacters according to your needs/OS.

Source: https://www.cyberciti.biz/faq/linuxunix-rules-for-naming-file-and-directory-names/

solution4
 -1  2015-06-27 13:41:29

Would that work? http://php.net/manual/en/function.file-exists.php Eg, in your case, 

if(file_exists(str_replace("../", "", $file))){
  // valid
} 
else{
  // invalid
}

Files can be in subfolders but not in parent folders.

However, if you're just interested in the filename,

if(file_exists(pathinfo($file, PATHINFO_BASENAME))){
  // valid
}
else{
  // invalid
}

should work.

solution5
 -3  2015-06-27 13:47:14

i will like to combine kamal pal's and Pancake_M0nster's answers to create simple:

if(file_exists(basename($file))){
  // valid
} 
else{
  // invalid
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Turn a string into a valid filename in PHP Securely check path and filename is valid with RegEx? Check if string is valid JSON? Check that string is valid date Check if a string is valid PHP code Check a string for a valid directory name how to check if string is valid for uudecode check if filename is like string in php for displaying images Check if php session string is valid and exists How to check if PHP string is valid as a query parameter or not
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM