Re: [PHP] naming a directory after a user-submitted string
Here's another question, possibly easier. Possibly even bone-headed.
What kind of checking/filtering/changing do I need to do on a
user-submitted string before I can feel comfortable using it to name a
new directory in the web root on Linux/Apache? Anybody have a quick
Regular Expression they can toss at me? If so, I'd be muchly
appreciative. Or is this just a Terrible Idea That Should Never Be
Contemplated?
A file or directory name in Unix can contain any character, except a
slash. On mac OS, you also can't use a colon because that was the old mac
way of delimiting directories. I imagine windows has a similar restriction
on the backslash. I think it has to be less than 256 characters as well,
but I may be remembering that incorrectly...
Permissively, you could try:
substr(preg_replace('/[\/\:\\]/', '_', $dirname), 0, 256)
Though you may also want to be strict, and remove all non-word
characters, i.e. letters, digits, slash and underscore:
substr(preg_replace('/\W/', '_', $dirname), 0, 256)
...that will eliminate special case checks for ., .., and .*.
-
michal migurski- contact info and pgp key:
sf/cahttp://mike.teczno.com/contact.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] naming a directory after a user-submitted string
Mike Joey, et al --
...and then Mike Migurski said...
%
% What kind of checking/filtering/changing do I need to do on a
% user-submitted string before I can feel comfortable using it to name a
...
% appreciative. Or is this just a Terrible Idea That Should Never Be
% Contemplated?
In general, I'd say the latter, but I'm a little harsh :-)
%
% A file or directory name in Unix can contain any character, except a
Note, however, that allowing many of these characters will cause you no
end of headaches.
% slash. On mac OS, you also can't use a colon because that was the old mac
% way of delimiting directories. I imagine windows has a similar restriction
% on the backslash. I think it has to be less than 256 characters as well,
Windows has numerous restrictions, both on characters allowed anywhere
and special names.
The only special characters I would allow are '@.' (in case you're naming
after email addresses) and the fairly common '_-' (polite word separators
to help your users) which gives us
a-z
A-Z
0-9
@._-
I don't really see a need for a comma, though that could be included as
well. Anything else is likely to mess you up when trying to handle it
(just try to print a text input box whose value is
O'Banion said come!
or such and have it show up in the browser...).
I'm also the type who will kick back an error rather than trying to
reformat the string, either in order to get rid of bad chars or to make
something unique in the event of a collision. Thus, a simple
if ( preg_match('/[EMAIL PROTECTED]/',$string) || file_exists($string) )
{ puke() ; }
could work nicely.
HTH HAND
:-D
--
David T-G * There is too much animal courage in
(play) [EMAIL PROTECTED] * society and not sufficient moral courage.
(work) [EMAIL PROTECTED] -- Mary Baker Eddy, Science and Health
http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
pgp0.pgp
Description: PGP signature
Re: [PHP] naming a directory after a user-submitted string
On 28-Jan-2004 Joey Manley wrote:
Here's another question, possibly easier. Possibly even bone-headed.
What kind of checking/filtering/changing do I need to do on a
user-submitted
string before I can feel comfortable using it to name a new directory
in the
web root on Linux/Apache? Anybody have a quick Regular Expression
they can
toss at me? If so, I'd be muchly appreciative. Or is this just a
Terrible
Idea That Should Never Be Contemplated?
1. Please don't hijack threads.
2. Make everything dodgy into a directory delimiter and get the last bit
of the path (untested code ahead) :
// cleanup
$unsafe=preg_replace('[^\w]', '/', $unsafe);
// get trailing dirname (explode and pop would work also)
$dir = substr(strrchr($unsafe, /), 1);
Regards,
--
Don Read [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to
steal the neighbor's newspaper, that's the time to do it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] naming a directory after a user-submitted string
Thanks for the thoughts on .sit files. I still don't quite know what I'll do (maybe I'll just force'em to make .zips -- it's not like it's IMPOSSIBLE for a Mac to make .zips). Here's another question, possibly easier. Possibly even bone-headed. What kind of checking/filtering/changing do I need to do on a user-submitted string before I can feel comfortable using it to name a new directory in the web root on Linux/Apache? Anybody have a quick Regular Expression they can toss at me? If so, I'd be muchly appreciative. Or is this just a Terrible Idea That Should Never Be Contemplated? Thanks! Joey www.moderntales.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] naming a directory after a user-submitted string
You have started a new thread by taking an existing posting and replying to it while you changed the subject. That is bad, because it breaks threading. Whenever you reply to a message, your mail client generates a References: header that tells all recipients which posting(s) your posting refers to. A mail client uses this information to build a threaded view (tree view) of the postings. With your posting style you successfully torpedoed this useful feature; your posting shows up within an existing thread it has nothing to do with. Always do a fresh post when you want to start a new thread. To achieve this, click on New message instead of Reply within your mail client, and enter the list address as the recipient. You can save the list address in your address book for convenience. On Wednesday 28 January 2004 12:00, Joey Manley wrote: Thanks for the thoughts on .sit files. I still don't quite know what I'll do (maybe I'll just force'em to make .zips -- it's not like it's IMPOSSIBLE for a Mac to make .zips). [snip] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
