Posted by Good Man on 05/14/07 18:41

shimmyshack <matt.farey@gmail.com> wrote in
news:1179166417.178718.236160@y80g2000hsf.googlegroups.com:

>> > Though it would likely be much easier if you were to strip out all
>> > characters except alpha, numeric, and the underscore prior to
>> > storage (file and database entry). Perhaps replace spaces with
>> > underscores.
>>
>> I agree. Here's what I use to "clean" the filenames of all uploaded
>> files:
>>
>> function cleanFile ($filename) { //clean up the file name


> the trouble with this kind of blacklist banning is that it allows
> encoding and otherforms of clever attack.
> better to use a whitelist.

How would you use a 'whitelist' in this case? By only allowing filenames
with alphanumeric characters? If that were the case, that would require
forcing your user to rename their files before upload... time-intensive and
annoying...

• Next in forum: Re: Uploading files with an apostrophe in the filename
• Prev in forum: Re: phpbb
• Thread view: Re: Uploading files with an apostrophe in the filename

[Reply to this message]