Re: [PHP] naming a directory after a user-submitted string
On 28-Jan-2004 Joey Manley wrote: > Here's another question, possibly easier. Possibly even bone-headed. > > What kind of checking/filtering/changing do I need to do on a > user-submitted > string before I can feel comfortable using it to name a new directory > in the > web root on Linux/Apache? Anybody have a quick Regular Expression > they can > toss at me? If so, I'd be muchly appreciative. Or is this just a > Terrible > Idea That Should Never Be Contemplated? > 1. Please don't hijack threads. 2. Make everything dodgy into a directory delimiter and get the last bit of the path (untested code ahead) : // cleanup $unsafe=preg_replace('[^\w]', '/', $unsafe); // get trailing dirname (explode and pop would work also) $dir = substr(strrchr($unsafe, "/"), 1); Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] naming a directory after a user-submitted string
Mike & Joey, et al -- ...and then Mike Migurski said... % % >What kind of checking/filtering/changing do I need to do on a % >user-submitted string before I can feel comfortable using it to name a ... % >appreciative. Or is this just a Terrible Idea That Should Never Be % >Contemplated? In general, I'd say the latter, but I'm a little harsh :-) % % A file or directory name in Unix can contain any character, except a Note, however, that allowing many of these characters will cause you no end of headaches. % slash. On mac OS, you also can't use a colon because that was the old mac % way of delimiting directories. I imagine windows has a similar restriction % on the backslash. I think it has to be less than 256 characters as well, Windows has numerous restrictions, both on characters allowed anywhere and special names. The only special characters I would allow are '@.' (in case you're naming after email addresses) and the fairly common '_-' (polite word separators to help your users) which gives us a-z A-Z 0-9 @._- I don't really see a need for a comma, though that could be included as well. Anything else is likely to mess you up when trying to handle it (just try to print a text input box whose value is O'Banion said "come"! or such and have it show up in the browser...). I'm also the type who will kick back an error rather than trying to reformat the string, either in order to get rid of bad chars or to make something unique in the event of a collision. Thus, a simple if ( preg_match('/[EMAIL PROTECTED]/',$string) || file_exists($string) ) { puke() ; } could work nicely. HTH & HAND :-D -- David T-G * There is too much animal courage in (play) [EMAIL PROTECTED] * society and not sufficient moral courage. (work) [EMAIL PROTECTED] -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! pgp0.pgp Description: PGP signature
Re: [PHP] naming a directory after a user-submitted string
>Here's another question, possibly easier. Possibly even bone-headed. > >What kind of checking/filtering/changing do I need to do on a >user-submitted string before I can feel comfortable using it to name a >new directory in the web root on Linux/Apache? Anybody have a quick >Regular Expression they can toss at me? If so, I'd be muchly >appreciative. Or is this just a Terrible Idea That Should Never Be >Contemplated? A file or directory name in Unix can contain any character, except a slash. On mac OS, you also can't use a colon because that was the old mac way of delimiting directories. I imagine windows has a similar restriction on the backslash. I think it has to be less than 256 characters as well, but I may be remembering that incorrectly... Permissively, you could try: substr(preg_replace('/[\/\:\\]/', '_', $dirname), 0, 256) Though you may also want to be strict, and remove all non-word characters, i.e. letters, digits, slash and underscore: substr(preg_replace('/\W/', '_', $dirname), 0, 256) ...that will eliminate special case checks for ".", "..", and ".*". - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] naming a directory after a user-submitted string
You have started a new thread by taking an existing posting and replying to it while you changed the subject. That is bad, because it breaks threading. Whenever you reply to a message, your mail client generates a "References:" header that tells all recipients which posting(s) your posting refers to. A mail client uses this information to build a threaded view ("tree view") of the postings. With your posting style you successfully torpedoed this useful feature; your posting shows up within an existing thread it has nothing to do with. Always do a fresh post when you want to start a new thread. To achieve this, click on "New message" instead of "Reply" within your mail client, and enter the list address as the recipient. You can save the list address in your address book for convenience. On Wednesday 28 January 2004 12:00, Joey Manley wrote: > Thanks for the thoughts on .sit files. I still don't quite know what I'll > do (maybe I'll just force'em to make .zips -- it's not like it's IMPOSSIBLE > for a Mac to make .zips). [snip] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] naming a directory after a user-submitted string
Thanks for the thoughts on .sit files. I still don't quite know what I'll do (maybe I'll just force'em to make .zips -- it's not like it's IMPOSSIBLE for a Mac to make .zips). Here's another question, possibly easier. Possibly even bone-headed. What kind of checking/filtering/changing do I need to do on a user-submitted string before I can feel comfortable using it to name a new directory in the web root on Linux/Apache? Anybody have a quick Regular Expression they can toss at me? If so, I'd be muchly appreciative. Or is this just a Terrible Idea That Should Never Be Contemplated? Thanks! Joey www.moderntales.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php