File Helper and Canonicalization issues

[eluser]mddd[/eluser]
Option 1 : Don't let the user enter the name. Just give the file a logical name, for instance the date and time of creation. Or a random string. Whether this works for you or not depends on what the file is going to be used for.

Option 2 : Use a regular expression and check the name against that. That way you can choose which characters you want to allow. For instance:

Code:

if (!preg_match('/^[a-z0-9\.\-_]+$/i', $filename) echo 'This file name is incorrect!';

In this example, letters, numbers, dashes and underscores are allowed.

Option 3 : Extract the last part of the name. You could use basename() for that, but that may not be totally secure because the user can enter anything, including things that wouldn't normally be in a file path.

Option 1 is the most safe, followed by option 2.